Merge branch '1958-aead-parameters' into 'main'

Refactor Lightweight cryptography schemes

See merge request root/bc-java!66

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/digests/AsconBaseDigest.java

@@ -1,62 +1,31 @@
 package org.bouncycastle.crypto.digests;
 
-import org.bouncycastle.crypto.DataLengthException;
-import org.bouncycastle.crypto.ExtendedDigest;
 import org.bouncycastle.crypto.OutputLengthException;
-import org.bouncycastle.util.Arrays;
-import org.bouncycastle.util.Longs;
+import org.bouncycastle.crypto.engines.AsconPermutationFriend;
 
 abstract class AsconBaseDigest
-    implements ExtendedDigest
+    extends BufferBaseDigest
 {
-    protected long x0;
-    protected long x1;
-    protected long x2;
-    protected long x3;
-    protected long x4;
-    protected final int CRYPTO_BYTES = 32;
-    protected final int ASCON_HASH_RATE = 8;
-    protected int ASCON_PB_ROUNDS = 12;
-    protected final byte[] m_buf = new byte[ASCON_HASH_RATE];
-    protected int m_bufPos = 0;
-
-
-    private void round(long C)
+    public static class Friend
     {
-        long t0 = x0 ^ x1 ^ x2 ^ x3 ^ C ^ (x1 & (x0 ^ x2 ^ x4 ^ C));
-        long t1 = x0 ^ x2 ^ x3 ^ x4 ^ C ^ ((x1 ^ x2 ^ C) & (x1 ^ x3));
-        long t2 = x1 ^ x2 ^ x4 ^ C ^ (x3 & x4);
-        long t3 = x0 ^ x1 ^ x2 ^ C ^ ((~x0) & (x3 ^ x4));
-        long t4 = x1 ^ x3 ^ x4 ^ ((x0 ^ x4) & x1);
-        x0 = t0 ^ Longs.rotateRight(t0, 19) ^ Longs.rotateRight(t0, 28);
-        x1 = t1 ^ Longs.rotateRight(t1, 39) ^ Longs.rotateRight(t1, 61);
-        x2 = ~(t2 ^ Longs.rotateRight(t2, 1) ^ Longs.rotateRight(t2, 6));
-        x3 = t3 ^ Longs.rotateRight(t3, 10) ^ Longs.rotateRight(t3, 17);
-        x4 = t4 ^ Longs.rotateRight(t4, 7) ^ Longs.rotateRight(t4, 41);
-    }
+        private static final Friend INSTANCE = new Friend();
 
-    protected void p(int nr)
-    {
-        if (nr == 12)
-        {
-            round(0xf0L);
-            round(0xe1L);
-            round(0xd2L);
-            round(0xc3L);
-        }
-        if (nr >= 8)
+        private Friend()
         {
-            round(0xb4L);
-            round(0xa5L);
         }
-        round(0x96L);
-        round(0x87L);
-        round(0x78L);
-        round(0x69L);
-        round(0x5aL);
-        round(0x4bL);
     }
 
+    AsconPermutationFriend.AsconPermutation p;
+    protected int ASCON_PB_ROUNDS = 12;
+
+    protected AsconBaseDigest()
+    {
+        super(ProcessingBufferType.Immediate, 8);
+        p = AsconPermutationFriend.getAsconPermutation(ISAPDigest.Friend.getFriend(Friend.INSTANCE));
+        DigestSize = 32;
+    }
+
+
     protected abstract long pad(int i);
 
     protected abstract long loadBytes(final byte[] bytes, int inOff);
@@ -67,106 +36,62 @@ protected void p(int nr)
 
     protected abstract void setBytes(long w, byte[] bytes, int inOff, int n);
 
-    @Override
-    public int getDigestSize()
-    {
-        return CRYPTO_BYTES;
-    }
-
-    @Override
-    public int getByteLength()
+    protected void processBytes(byte[] input, int inOff)
     {
-        return ASCON_HASH_RATE;
+        p.x0 ^= loadBytes(input, inOff);
+        p.p(ASCON_PB_ROUNDS);
     }
 
-    @Override
-    public void update(byte in)
+    protected void finish(byte[] output, int outOff)
     {
-        m_buf[m_bufPos] = in;
-        if (++m_bufPos == ASCON_HASH_RATE)
-        {
-            x0 ^= loadBytes(m_buf, 0);
-            p(ASCON_PB_ROUNDS);
-            m_bufPos = 0;
-        }
-    }
-
-    @Override
-    public void update(byte[] input, int inOff, int len)
-    {
-        if ((inOff + len) > input.length)
-        {
-            throw new DataLengthException("input buffer too short");
-        }
-        int available = 8 - m_bufPos;
-        if (len < available)
-        {
-            System.arraycopy(input, inOff, m_buf, m_bufPos, len);
-            m_bufPos += len;
-            return;
-        }
-        int inPos = 0;
-        if (m_bufPos > 0)
-        {
-            System.arraycopy(input, inOff, m_buf, m_bufPos, available);
-            inPos += available;
-            x0 ^= loadBytes(m_buf, 0);
-            p(ASCON_PB_ROUNDS);
-        }
-        int remaining;
-        while ((remaining = len - inPos) >= 8)
-        {
-            x0 ^= loadBytes(input, inOff + inPos);
-            p(ASCON_PB_ROUNDS);
-            inPos += 8;
-        }
-        System.arraycopy(input, inOff + inPos, m_buf, 0, remaining);
-        m_bufPos = remaining;
-    }
-
-    @Override
-    public int doFinal(byte[] output, int outOff)
-    {
-        return hash(output, outOff, CRYPTO_BYTES);
+        padAndAbsorb();
+        /* squeeze full output blocks */
+        squeeze(output, outOff, DigestSize);
     }
 
     protected void padAndAbsorb()
     {
-        x0 ^= loadBytes(m_buf, 0, m_bufPos);
-        x0 ^= pad(m_bufPos);
-        p(12);
+        p.x0 ^= loadBytes(m_buf, 0, m_bufPos) ^ pad(m_bufPos);
+        p.p(12);
     }
 
     protected void squeeze(byte[] output, int outOff, int len)
     {
         /* squeeze full output blocks */
-        while (len > ASCON_HASH_RATE)
+        while (len > BlockSize)
         {
-            setBytes(x0, output, outOff);
-            p(ASCON_PB_ROUNDS);
-            outOff += ASCON_HASH_RATE;
-            len -= ASCON_HASH_RATE;
+            setBytes(p.x0, output, outOff);
+            p.p(ASCON_PB_ROUNDS);
+            outOff += BlockSize;
+            len -= BlockSize;
         }
         /* squeeze final output block */
-        setBytes(x0, output, outOff, len);
+        setBytes(p.x0, output, outOff, len);
         reset();
     }
 
     protected int hash(byte[] output, int outOff, int outLen)
     {
-        if (CRYPTO_BYTES + outOff > output.length)
-        {
-            throw new OutputLengthException("output buffer is too short");
-        }
+        ensureSufficientOutputBuffer(output, outOff, outLen);
         padAndAbsorb();
         /* squeeze full output blocks */
         squeeze(output, outOff, outLen);
         return outLen;
     }
 
-    public void reset()
+    protected void ensureSufficientOutputBuffer(byte[] output, int outOff, int len)
     {
-        Arrays.clear(m_buf);
-        m_bufPos = 0;
+        if (outOff + len > output.length)
+        {
+            throw new OutputLengthException("output buffer is too short");
+        }
+    }
+
+    protected void ensureNoAbsorbWhileSqueezing(boolean m_squeezing)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
     }
 }

core/src/main/java/org/bouncycastle/crypto/digests/AsconCXof128.java

@@ -35,40 +35,32 @@ public AsconCXof128(byte[] s)
 
     public AsconCXof128(byte[] s, int off, int len)
     {
-        if ((off + len) > s.length)
-        {
-            throw new DataLengthException("input buffer too short");
-        }
+        algorithmName = "Ascon-CXOF128";
+        ensureSufficientInputBuffer(s, off, len);
         if (len > 256)
         {
             throw new DataLengthException("customized string is too long");
         }
         initState(s, off, len);
         // NOTE: Cache the initialized state
-        z0 = x0;
-        z1 = x1;
-        z2 = x2;
-        z3 = x3;
-        z4 = x4;
+        z0 = p.x0;
+        z1 = p.x1;
+        z2 = p.x2;
+        z3 = p.x3;
+        z4 = p.x4;
     }
 
     @Override
     public void update(byte in)
     {
-        if (m_squeezing)
-        {
-            throw new IllegalArgumentException("attempt to absorb while squeezing");
-        }
+        ensureNoAbsorbWhileSqueezing(m_squeezing);
         super.update(in);
     }
 
     @Override
     public void update(byte[] input, int inOff, int len)
     {
-        if (m_squeezing)
-        {
-            throw new IllegalArgumentException("attempt to absorb while squeezing");
-        }
+        ensureNoAbsorbWhileSqueezing(m_squeezing);
         super.update(input, inOff, len);
     }
 
@@ -103,26 +95,16 @@ protected void padAndAbsorb()
         super.padAndAbsorb();
     }
 
-    @Override
-    public String getAlgorithmName()
-    {
-        return "Ascon-CXOF128";
-    }
-
     @Override
     public int doOutput(byte[] output, int outOff, int outLen)
     {
-        if (CRYPTO_BYTES + outOff > output.length)
-        {
-            throw new OutputLengthException("output buffer is too short");
-        }
+        ensureSufficientOutputBuffer(output, outOff, outLen);
         padAndAbsorb();
         /* squeeze full output blocks */
         squeeze(output, outOff, outLen);
         return outLen;
     }
 
-
     @Override
     public int doFinal(byte[] output, int outOff, int outLen)
     {
@@ -137,23 +119,15 @@ public void reset()
         super.reset();
         m_squeezing = false;
         /* initialize */
-        x0 = z0;
-        x1 = z1;
-        x2 = z2;
-        x3 = z3;
-        x4 = z4;
+        p.set(z0, z1, z2, z3, z4);
     }
 
     private void initState(byte[] z, int zOff, int zLen)
     {
-        x0 = 7445901275803737603L;
-        x1 = 4886737088792722364L;
-        x2 = -1616759365661982283L;
-        x3 = 3076320316797452470L;
-        x4 = -8124743304765850554L;
+        p.set(7445901275803737603L, 4886737088792722364L, -1616759365661982283L, 3076320316797452470L, -8124743304765850554L);
         long bitLength = ((long)zLen) << 3;
         Pack.longToLittleEndian(bitLength, m_buf, 0);
-        p(12);
+        p.p(12);
         update(z, zOff, zLen);
         padAndAbsorb();
         m_squeezing = false;

core/src/main/java/org/bouncycastle/crypto/digests/AsconDigest.java

@@ -41,8 +41,6 @@ public AsconDigest(AsconParameters parameters)
         reset();
     }
 
-    private final String algorithmName;
-
     protected long pad(int i)
     {
         return 0x80L << (56 - (i << 3));
@@ -68,12 +66,6 @@ protected void setBytes(long w, byte[] bytes, int inOff, int n)
         Pack.longToBigEndian(w, bytes, inOff, n);
     }
 
-    @Override
-    public String getAlgorithmName()
-    {
-        return algorithmName;
-    }
-
     @Override
     public void reset()
     {
@@ -82,18 +74,10 @@ public void reset()
         switch (asconParameters)
         {
         case AsconHashA:
-            x0 = 92044056785660070L;
-            x1 = 8326807761760157607L;
-            x2 = 3371194088139667532L;
-            x3 = -2956994353054992515L;
-            x4 = -6828509670848688761L;
+            p.set(92044056785660070L, 8326807761760157607L, 3371194088139667532L, -2956994353054992515L, -6828509670848688761L);
             break;
         case AsconHash:
-            x0 = -1255492011513352131L;
-            x1 = -8380609354527731710L;
-            x2 = -5437372128236807582L;
-            x3 = 4834782570098516968L;
-            x4 = 3787428097924915520L;
+            p.set(-1255492011513352131L, -8380609354527731710L, -5437372128236807582L, 4834782570098516968L, 3787428097924915520L);
             break;
         }
     }