package org.bouncycastle.crypto.digests;
import org.bouncycastle.crypto.ExtendedDigest;
import org.bouncycastle.util.Arrays;
/**
* implementation of SHA-3 based on following KeccakNISTInterface.c from http://keccak.noekeon.org/
* <p/>
* Following the naming conventions used in the C source code to enable easy review of the implementation.
*/
public class SHA3Digest
implements ExtendedDigest
{
private static long[] KeccakRoundConstants = keccakInitializeRoundConstants();
private static int[] KeccakRhoOffsets = keccakInitializeRhoOffsets();
private static long[] keccakInitializeRoundConstants()
{
long[] keccakRoundConstants = new long[24];
byte[] LFSRstate = new byte[1];
LFSRstate[0] = 0x01;
int i, j, bitPosition;
for (i = 0; i < 24; i++)
{
keccakRoundConstants[i] = 0;
for (j = 0; j < 7; j++)
{
bitPosition = (1 << j) - 1;
if (LFSR86540(LFSRstate))
{
keccakRoundConstants[i] ^= 1L << bitPosition;
}
}
}
return keccakRoundConstants;
}
private static boolean LFSR86540(byte[] LFSR)
{
boolean result = (((LFSR[0]) & 0x01) != 0);
if (((LFSR[0]) & 0x80) != 0)
{
LFSR[0] = (byte)(((LFSR[0]) << 1) ^ 0x71);
}
else
{
LFSR[0] <<= 1;
}
return result;
}
private static int[] keccakInitializeRhoOffsets()
{
int[] keccakRhoOffsets = new int[25];
int x, y, t, newX, newY;
keccakRhoOffsets[(((0) % 5) + 5 * ((0) % 5))] = 0;
x = 1;
y = 0;
for (t = 0; t < 24; t++)
{
keccakRhoOffsets[(((x) % 5) + 5 * ((y) % 5))] = ((t + 1) * (t + 2) / 2) % 64;
newX = (0 * x + 1 * y) % 5;
newY = (2 * x + 3 * y) % 5;
x = newX;
y = newY;
}
return keccakRhoOffsets;
}
private byte[] state = new byte[(1600 / 8)];
private byte[] dataQueue = new byte[(1536 / 8)];
private int rate;
private int bitsInQueue;
private int fixedOutputLength;
private boolean squeezing;
private int bitsAvailableForSqueezing;
private byte[] chunk;
private byte[] oneByte;
private void clearDataQueueSection(int off, int len)
{
for (int i = off; i != off + len; i++)
{
dataQueue[i] = 0;
}
}
public SHA3Digest()
{
init(0);
}
public SHA3Digest(int bitLength)
{
init(bitLength);
}
public SHA3Digest(SHA3Digest source) {
System.arraycopy(source.state, 0, this.state, 0, source.state.length);
System.arraycopy(source.dataQueue, 0, this.dataQueue, 0, source.dataQueue.length);
this.rate = source.rate;
this.bitsInQueue = source.bitsInQueue;
this.fixedOutputLength = source.fixedOutputLength;
this.squeezing = source.squeezing;
this.bitsAvailableForSqueezing = source.bitsAvailableForSqueezing;
this.chunk = Arrays.clone(source.chunk);
this.oneByte = Arrays.clone(source.oneByte);
}
public String getAlgorithmName()
{
return "SHA3-" + fixedOutputLength;
}
public int getDigestSize()
{
return fixedOutputLength / 8;
}
public void update(byte in)
{
oneByte[0] = in;
doUpdate(oneByte, 0, 8L);
}
public void update(byte[] in, int inOff, int len)
{
doUpdate(in, inOff, len * 8L);
}
public int doFinal(byte[] out, int outOff)
{
squeeze(out, outOff, fixedOutputLength);
reset();
return getDigestSize();
}
public void reset()
{
init(fixedOutputLength);
}
/**
* Return the size of block that the compression function is applied to in bytes.
*
* @return internal byte length of a block.
*/
public int getByteLength()
{
return rate / 8;
}
private void init(int bitLength)
{
switch (bitLength)
{
case 0:
case 288:
initSponge(1024, 576);
break;
case 224:
initSponge(1152, 448);
break;
case 256:
initSponge(1088, 512);
break;
case 384:
initSponge(832, 768);
break;
case 512:
initSponge(576, 1024);
break;
default:
throw new IllegalArgumentException("bitLength must be one of 224, 256, 384, or 512.");
}
}
private void doUpdate(byte[] data, int off, long databitlen)
{
if ((databitlen % 8) == 0)
{
absorb(data, off, databitlen);
}
else
{
absorb(data, off, databitlen - (databitlen % 8));
byte[] lastByte = new byte[1];
lastByte[0] = (byte)(data[off + (int)(databitlen / 8)] >> (8 - (databitlen % 8)));
absorb(lastByte, off, databitlen % 8);
}
}
private void initSponge(int rate, int capacity)
{
if (rate + capacity != 1600)
{
throw new IllegalStateException("rate + capacity != 1600");
}
if ((rate <= 0) || (rate >= 1600) || ((rate % 64) != 0))
{
throw new IllegalStateException("invalid rate value");
}
this.rate = rate;
// this is never read, need to check to see why we want to save it
// this.capacity = capacity;
this.fixedOutputLength = 0;
Arrays.fill(this.state, (byte)0);
Arrays.fill(this.dataQueue, (byte)0);
this.bitsInQueue = 0;
this.squeezing = false;
this.bitsAvailableForSqueezing = 0;
this.fixedOutputLength = capacity / 2;
this.chunk = new byte[rate / 8];
this.oneByte = new byte[1];
}
private void absorbQueue()
{
KeccakAbsorb(state, dataQueue, rate / 8);
bitsInQueue = 0;
}
private void absorb(byte[] data, int off, long databitlen)
{
long i, j, wholeBlocks;
if ((bitsInQueue % 8) != 0)
{
throw new IllegalStateException("attempt to absorb with odd length queue.");
}
if (squeezing)
{
throw new IllegalStateException("attempt to absorb while squeezing.");
}
i = 0;
while (i < databitlen)
{
if ((bitsInQueue == 0) && (databitlen >= rate) && (i <= (databitlen - rate)))
{
wholeBlocks = (databitlen - i) / rate;
for (j = 0; j < wholeBlocks; j++)
{
System.arraycopy(data, (int)(off + (i / 8) + (j * chunk.length)), chunk, 0, chunk.length);
// displayIntermediateValues.displayBytes(1, "Block to be absorbed", curData, rate / 8);
KeccakAbsorb(state, chunk, chunk.length);
}
i += wholeBlocks * rate;
}
else
{
int partialBlock = (int)(databitlen - i);
if (partialBlock + bitsInQueue > rate)
{
partialBlock = rate - bitsInQueue;
}
int partialByte = partialBlock % 8;
partialBlock -= partialByte;
System.arraycopy(data, off + (int)(i / 8), dataQueue, bitsInQueue / 8, partialBlock / 8);
bitsInQueue += partialBlock;
i += partialBlock;
if (bitsInQueue == rate)
{
absorbQueue();
}
if (partialByte > 0)
{
int mask = (1 << partialByte) - 1;
dataQueue[bitsInQueue / 8] = (byte)(data[off + ((int)(i / 8))] & mask);
bitsInQueue += partialByte;
i += partialByte;
}
}
}
}
private void padAndSwitchToSqueezingPhase()
{
if (bitsInQueue + 1 == rate)
{
dataQueue[bitsInQueue / 8] |= 1 << (bitsInQueue % 8);
absorbQueue();
clearDataQueueSection(0, rate / 8);
}
else
{
clearDataQueueSection((bitsInQueue + 7) / 8, rate / 8 - (bitsInQueue + 7) / 8);
dataQueue[bitsInQueue / 8] |= 1 << (bitsInQueue % 8);
}
dataQueue[(rate - 1) / 8] |= 1 << ((rate - 1) % 8);
absorbQueue();
// displayIntermediateValues.displayText(1, "--- Switching to squeezing phase ---");
if (rate == 1024)
{
KeccakExtract1024bits(state, dataQueue);
bitsAvailableForSqueezing = 1024;
}
else
{
KeccakExtract(state, dataQueue, rate / 64);
bitsAvailableForSqueezing = rate;
}
// displayIntermediateValues.displayBytes(1, "Block available for squeezing", dataQueue, bitsAvailableForSqueezing / 8);
squeezing = true;
}
private void squeeze(byte[] output, int offset, long outputLength)
{
long i;
int partialBlock;
if (!squeezing)
{
padAndSwitchToSqueezingPhase();
}
if ((outputLength % 8) != 0)
{
throw new IllegalStateException("outputLength not a multiple of 8");
}
i = 0;
while (i < outputLength)
{
if (bitsAvailableForSqueezing == 0)
{
keccakPermutation(state);
if (rate == 1024)
{
KeccakExtract1024bits(state, dataQueue);
bitsAvailableForSqueezing = 1024;
}
else
{
KeccakExtract(state, dataQueue, rate / 64);
bitsAvailableForSqueezing = rate;
}
// displayIntermediateValues.displayBytes(1, "Block available for squeezing", dataQueue, bitsAvailableForSqueezing / 8);
}
partialBlock = bitsAvailableForSqueezing;
if ((long)partialBlock > outputLength - i)
{
partialBlock = (int)(outputLength - i);
}
System.arraycopy(dataQueue, (rate - bitsAvailableForSqueezing) / 8, output, offset + (int)(i / 8), partialBlock / 8);
bitsAvailableForSqueezing -= partialBlock;
i += partialBlock;
}
}
private void fromBytesToWords(long[] stateAsWords, byte[] state)
{
for (int i = 0; i < (1600 / 64); i++)
{
stateAsWords[i] = 0;
int index = i * (64 / 8);
for (int j = 0; j < (64 / 8); j++)
{
stateAsWords[i] |= ((long)state[index + j] & 0xff) << ((8 * j));
}
}
}
private void fromWordsToBytes(byte[] state, long[] stateAsWords)
{
for (int i = 0; i < (1600 / 64); i++)
{
int index = i * (64 / 8);
for (int j = 0; j < (64 / 8); j++)
{
state[index + j] = (byte)((stateAsWords[i] >>> ((8 * j))) & 0xFF);
}
}
}
private void keccakPermutation(byte[] state)
{
long[] longState = new long[state.length / 8];
fromBytesToWords(longState, state);
// displayIntermediateValues.displayStateAsBytes(1, "Input of permutation", longState);
keccakPermutationOnWords(longState);
// displayIntermediateValues.displayStateAsBytes(1, "State after permutation", longState);
fromWordsToBytes(state, longState);
}
private void keccakPermutationAfterXor(byte[] state, byte[] data, int dataLengthInBytes)
{
int i;
for (i = 0; i < dataLengthInBytes; i++)
{
state[i] ^= data[i];
}
keccakPermutation(state);
}
private void keccakPermutationOnWords(long[] state)
{
int i;
// displayIntermediateValues.displayStateAs64bitWords(3, "Same, with lanes as 64-bit words", state);
for (i = 0; i < 24; i++)
{
// displayIntermediateValues.displayRoundNumber(3, i);
theta(state);
// displayIntermediateValues.displayStateAs64bitWords(3, "After theta", state);
rho(state);
// displayIntermediateValues.displayStateAs64bitWords(3, "After rho", state);
pi(state);
// displayIntermediateValues.displayStateAs64bitWords(3, "After pi", state);
chi(state);
// displayIntermediateValues.displayStateAs64bitWords(3, "After chi", state);
iota(state, i);
// displayIntermediateValues.displayStateAs64bitWords(3, "After iota", state);
}
}
long[] C = new long[5];
private void theta(long[] A)
{
for (int x = 0; x < 5; x++)
{
C[x] = 0;
for (int y = 0; y < 5; y++)
{
C[x] ^= A[x + 5 * y];
}
}
for (int x = 0; x < 5; x++)
{
long dX = ((((C[(x + 1) % 5]) << 1) ^ ((C[(x + 1) % 5]) >>> (64 - 1)))) ^ C[(x + 4) % 5];
for (int y = 0; y < 5; y++)
{
A[x + 5 * y] ^= dX;
}
}
}
private void rho(long[] A)
{
for (int x = 0; x < 5; x++)
{
for (int y = 0; y < 5; y++)
{
int index = x + 5 * y;
A[index] = ((KeccakRhoOffsets[index] != 0) ? (((A[index]) << KeccakRhoOffsets[index]) ^ ((A[index]) >>> (64 - KeccakRhoOffsets[index]))) : A[index]);
}
}
}
long[] tempA = new long[25];
private void pi(long[] A)
{
System.arraycopy(A, 0, tempA, 0, tempA.length);
for (int x = 0; x < 5; x++)
{
for (int y = 0; y < 5; y++)
{
A[y + 5 * ((2 * x + 3 * y) % 5)] = tempA[x + 5 * y];
}
}
}
long[] chiC = new long[5];
private void chi(long[] A)
{
for (int y = 0; y < 5; y++)
{
for (int x = 0; x < 5; x++)
{
chiC[x] = A[x + 5 * y] ^ ((~A[(((x + 1) % 5) + 5 * y)]) & A[(((x + 2) % 5) + 5 * y)]);
}
for (int x = 0; x < 5; x++)
{
A[x + 5 * y] = chiC[x];
}
}
}
private void iota(long[] A, int indexRound)
{
A[(((0) % 5) + 5 * ((0) % 5))] ^= KeccakRoundConstants[indexRound];
}
private void KeccakAbsorb(byte[] byteState, byte[] data, int dataInBytes)
{
keccakPermutationAfterXor(byteState, data, dataInBytes);
}
private void KeccakExtract1024bits(byte[] byteState, byte[] data)
{
System.arraycopy(byteState, 0, data, 0, 128);
}
private void KeccakExtract(byte[] byteState, byte[] data, int laneCount)
{
System.arraycopy(byteState, 0, data, 0, laneCount * 8);
}
}