lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250923153228.GA1570@sol>
Date: Tue, 23 Sep 2025 08:32:28 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Harald Freudenberger <freude@...ux.ibm.com>,
	Holger Dengler <dengler@...ux.ibm.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Stephan Mueller <smueller@...onox.de>, Simo Sorce <simo@...hat.com>,
	linux-crypto@...r.kernel.org, linux-s390@...r.kernel.org,
	keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384,
 SHA-512, SHAKE128, SHAKE256

On Tue, Sep 23, 2025 at 03:22:35PM +0100, David Howells wrote:
> Eric Biggers <ebiggers@...nel.org> wrote:
> 
> > Also, the parameter should be strongly typed: 'struct sha3_state *'
> > Likewise in all the other functions that take the raw u64 array.
> 
> Those function may be directly substituted by calls to assembly code - so
> u64[] is probably more appropriate.

We've been using strongly-typed state even for assembly functions.  See
the SHA-1, SHA-2, and ChaCha code.

> > > +	for (round = 0; round < KECCAK_ROUNDS; round++) {
> > > +		keccakf_round(st);
> > > +		/* Iota */
> > > +		st[0] ^= keccakf_rndc[round];
> > > +	}
> > 
> > In the spec, "Iota" is part of the round.  Having it be separate from
> > keccakf_round() in the code is confusing.
> 
> I assume that pertains to the comment about inlining in some way.  This is as
> is in sha3_generic.c.  I can move it into the round function if you like, but
> can you tell me what the effect will be?

The effect will be that the code will align more closely with how the
algorithm is described in the SHA-3 spec and other publications.

> > Second, the support for update() + squeeze() + update() + squeeze()
> > seems to be trying to achieve something that is not defined in the SHA-3
> > spec.  Could you elaborate on what it is meant to be doing, and why it's
> > here?  According to the spec, the XOFs SHAKE128 and SHAKE256 actually
> > just take a single message as their input.
> 
> Turns out I was misunderstanding what I was looking at whilst trying to adapt
> Leancrypto's dilithium code.  Whilst it does squeeze a context several times,
> it doesn't update it after finalising it without reinitialising it.

Yes, that's what I thought.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ