Merge branch 'ascon-update' into 'main'

Ascon update

See merge request root/bc-java!42

Author: dghgit

core/src/main/java/org/bouncycastle/crypto/digests/AsconBaseDigest.java

@@ -0,0 +1,172 @@
+package org.bouncycastle.crypto.digests;
+
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.ExtendedDigest;
+import org.bouncycastle.crypto.OutputLengthException;
+import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Longs;
+
+abstract class AsconBaseDigest
+    implements ExtendedDigest
+{
+    protected long x0;
+    protected long x1;
+    protected long x2;
+    protected long x3;
+    protected long x4;
+    protected final int CRYPTO_BYTES = 32;
+    protected final int ASCON_HASH_RATE = 8;
+    protected int ASCON_PB_ROUNDS = 12;
+    protected final byte[] m_buf = new byte[ASCON_HASH_RATE];
+    protected int m_bufPos = 0;
+
+
+    private void round(long C)
+    {
+        long t0 = x0 ^ x1 ^ x2 ^ x3 ^ C ^ (x1 & (x0 ^ x2 ^ x4 ^ C));
+        long t1 = x0 ^ x2 ^ x3 ^ x4 ^ C ^ ((x1 ^ x2 ^ C) & (x1 ^ x3));
+        long t2 = x1 ^ x2 ^ x4 ^ C ^ (x3 & x4);
+        long t3 = x0 ^ x1 ^ x2 ^ C ^ ((~x0) & (x3 ^ x4));
+        long t4 = x1 ^ x3 ^ x4 ^ ((x0 ^ x4) & x1);
+        x0 = t0 ^ Longs.rotateRight(t0, 19) ^ Longs.rotateRight(t0, 28);
+        x1 = t1 ^ Longs.rotateRight(t1, 39) ^ Longs.rotateRight(t1, 61);
+        x2 = ~(t2 ^ Longs.rotateRight(t2, 1) ^ Longs.rotateRight(t2, 6));
+        x3 = t3 ^ Longs.rotateRight(t3, 10) ^ Longs.rotateRight(t3, 17);
+        x4 = t4 ^ Longs.rotateRight(t4, 7) ^ Longs.rotateRight(t4, 41);
+    }
+
+    protected void p(int nr)
+    {
+        if (nr == 12)
+        {
+            round(0xf0L);
+            round(0xe1L);
+            round(0xd2L);
+            round(0xc3L);
+        }
+        if (nr >= 8)
+        {
+            round(0xb4L);
+            round(0xa5L);
+        }
+        round(0x96L);
+        round(0x87L);
+        round(0x78L);
+        round(0x69L);
+        round(0x5aL);
+        round(0x4bL);
+    }
+
+    protected abstract long pad(int i);
+
+    protected abstract long loadBytes(final byte[] bytes, int inOff);
+
+    protected abstract long loadBytes(final byte[] bytes, int inOff, int n);
+
+    protected abstract void setBytes(long w, byte[] bytes, int inOff);
+
+    protected abstract void setBytes(long w, byte[] bytes, int inOff, int n);
+
+    @Override
+    public int getDigestSize()
+    {
+        return CRYPTO_BYTES;
+    }
+
+    @Override
+    public int getByteLength()
+    {
+        return ASCON_HASH_RATE;
+    }
+
+    @Override
+    public void update(byte in)
+    {
+        m_buf[m_bufPos] = in;
+        if (++m_bufPos == ASCON_HASH_RATE)
+        {
+            x0 ^= loadBytes(m_buf, 0);
+            p(ASCON_PB_ROUNDS);
+            m_bufPos = 0;
+        }
+    }
+
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        if ((inOff + len) > input.length)
+        {
+            throw new DataLengthException("input buffer too short");
+        }
+        int available = 8 - m_bufPos;
+        if (len < available)
+        {
+            System.arraycopy(input, inOff, m_buf, m_bufPos, len);
+            m_bufPos += len;
+            return;
+        }
+        int inPos = 0;
+        if (m_bufPos > 0)
+        {
+            System.arraycopy(input, inOff, m_buf, m_bufPos, available);
+            inPos += available;
+            x0 ^= loadBytes(m_buf, 0);
+            p(ASCON_PB_ROUNDS);
+        }
+        int remaining;
+        while ((remaining = len - inPos) >= 8)
+        {
+            x0 ^= loadBytes(input, inOff + inPos);
+            p(ASCON_PB_ROUNDS);
+            inPos += 8;
+        }
+        System.arraycopy(input, inOff + inPos, m_buf, 0, remaining);
+        m_bufPos = remaining;
+    }
+
+    @Override
+    public int doFinal(byte[] output, int outOff)
+    {
+        return hash(output, outOff, CRYPTO_BYTES);
+    }
+
+    protected void padAndAbsorb()
+    {
+        x0 ^= loadBytes(m_buf, 0, m_bufPos);
+        x0 ^= pad(m_bufPos);
+        p(12);
+    }
+
+    protected void squeeze(byte[] output, int outOff, int len)
+    {
+        /* squeeze full output blocks */
+        while (len > ASCON_HASH_RATE)
+        {
+            setBytes(x0, output, outOff);
+            p(ASCON_PB_ROUNDS);
+            outOff += ASCON_HASH_RATE;
+            len -= ASCON_HASH_RATE;
+        }
+        /* squeeze final output block */
+        setBytes(x0, output, outOff, len);
+        reset();
+    }
+
+    protected int hash(byte[] output, int outOff, int outLen)
+    {
+        if (CRYPTO_BYTES + outOff > output.length)
+        {
+            throw new OutputLengthException("output buffer is too short");
+        }
+        padAndAbsorb();
+        /* squeeze full output blocks */
+        squeeze(output, outOff, outLen);
+        return outLen;
+    }
+
+    public void reset()
+    {
+        Arrays.clear(m_buf);
+        m_bufPos = 0;
+    }
+}

core/src/main/java/org/bouncycastle/crypto/digests/AsconCXof128.java

@@ -0,0 +1,162 @@
+package org.bouncycastle.crypto.digests;
+
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.OutputLengthException;
+import org.bouncycastle.crypto.Xof;
+import org.bouncycastle.util.Pack;
+
+/**
+ * Ascon-CXOF128 was introduced in NIST Special Publication (SP) 800-232
+ * (Initial Public Draft).
+ * <p>
+ * Additional details and the specification can be found in:
+ * <a href="https://csrc.nist.gov/pubs/sp/800/232/ipd">NIST SP 800-232 (Initial Public Draft)</a>.
+ * For reference source code and implementation details, please see:
+ * <a href="https://github.com/ascon/ascon-c">Reference, highly optimized, masked C and
+ * ASM implementations of Ascon (NIST SP 800-232)</a>.
+ * </p>
+ */
+public class AsconCXof128
+    extends AsconBaseDigest
+    implements Xof
+{
+    private boolean m_squeezing = false;
+    private final long z0, z1, z2, z3, z4;
+
+    public AsconCXof128()
+    {
+        this(new byte[0], 0, 0);
+    }
+
+    public AsconCXof128(byte[] s)
+    {
+        this(s, 0, s.length);
+    }
+
+    public AsconCXof128(byte[] s, int off, int len)
+    {
+        if ((off + len) > s.length)
+        {
+            throw new DataLengthException("input buffer too short");
+        }
+        if (len > 256)
+        {
+            throw new DataLengthException("customized string is too long");
+        }
+        initState(s, off, len);
+        // NOTE: Cache the initialized state
+        z0 = x0;
+        z1 = x1;
+        z2 = x2;
+        z3 = x3;
+        z4 = x4;
+    }
+
+    @Override
+    public void update(byte in)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(in);
+    }
+
+    @Override
+    public void update(byte[] input, int inOff, int len)
+    {
+        if (m_squeezing)
+        {
+            throw new IllegalArgumentException("attempt to absorb while squeezing");
+        }
+        super.update(input, inOff, len);
+    }
+
+    protected long pad(int i)
+    {
+        return 0x01L << (i << 3);
+    }
+
+    protected long loadBytes(final byte[] bytes, int inOff)
+    {
+        return Pack.littleEndianToLong(bytes, inOff);
+    }
+
+    protected long loadBytes(final byte[] bytes, int inOff, int n)
+    {
+        return Pack.littleEndianToLong(bytes, inOff, n);
+    }
+
+    protected void setBytes(long w, byte[] bytes, int inOff)
+    {
+        Pack.longToLittleEndian(w, bytes, inOff);
+    }
+
+    protected void setBytes(long w, byte[] bytes, int inOff, int n)
+    {
+        Pack.longToLittleEndian(w, bytes, inOff, n);
+    }
+
+    protected void padAndAbsorb()
+    {
+        m_squeezing = true;
+        super.padAndAbsorb();
+    }
+
+    @Override
+    public String getAlgorithmName()
+    {
+        return "Ascon-CXOF128";
+    }
+
+    @Override
+    public int doOutput(byte[] output, int outOff, int outLen)
+    {
+        if (CRYPTO_BYTES + outOff > output.length)
+        {
+            throw new OutputLengthException("output buffer is too short");
+        }
+        padAndAbsorb();
+        /* squeeze full output blocks */
+        squeeze(output, outOff, outLen);
+        return outLen;
+    }
+
+
+    @Override
+    public int doFinal(byte[] output, int outOff, int outLen)
+    {
+        int rlt = doOutput(output, outOff, outLen);
+        reset();
+        return rlt;
+    }
+
+    @Override
+    public void reset()
+    {
+        super.reset();
+        m_squeezing = false;
+        /* initialize */
+        x0 = z0;
+        x1 = z1;
+        x2 = z2;
+        x3 = z3;
+        x4 = z4;
+    }
+
+    private void initState(byte[] z, int zOff, int zLen)
+    {
+        x0 = 7445901275803737603L;
+        x1 = 4886737088792722364L;
+        x2 = -1616759365661982283L;
+        x3 = 3076320316797452470L;
+        x4 = -8124743304765850554L;
+        long bitLength = ((long)zLen) << 3;
+        Pack.longToLittleEndian(bitLength, m_buf, 0);
+        p(12);
+        update(z, zOff, zLen);
+        padAndAbsorb();
+        m_squeezing = false;
+    }
+}
+