[9front] [PATCH] sha3 but fixed the code style

[9front] [PATCH] sha3 but fixed the code style

[fulton]

This adds SHA3 to 9front.  SHA3 is a bit slower than 2, but is
resistent length extinsion attack and has a simpler code base.  While
not used for much now, theres a good chance it will be needed in the
long run, for stuff like tls, ssh, and file checksums.

--
Fulton fulton.software!fulton

diff -r 8582c03efdc9 sys/include/libsec.h
--- a/sys/include/libsec.h	Sun May 30 14:30:50 2021 +0200
+++ b/sys/include/libsec.h	Mon May 31 08:55:39 2021 -0700
@@ -224,10 +224,14 @@
 enum
 {
 	SHA1dlen=	20,	/* SHA digest length */
-	SHA2_224dlen=	28,	/* SHA-224 digest length */
-	SHA2_256dlen=	32,	/* SHA-256 digest length */
-	SHA2_384dlen=	48,	/* SHA-384 digest length */
-	SHA2_512dlen=	64,	/* SHA-512 digest length */
+	SHA2_224dlen=	28,	/* SHA2-224 digest length */
+	SHA2_256dlen=	32,	/* SH2A-256 digest length */
+	SHA2_384dlen=	48,	/* SH2A-384 digest length */
+	SHA2_512dlen=	64,	/* SHA2-512 digest length */
+	SHA3_224dlen=	28,	/* SHA3-224 digest length */
+	SHA3_256dlen=	32,	/* SHA3-256 digest length */
+	SHA3_384dlen=	48,	/* SHA3-384 digest length */
+	SHA3_512dlen=	64,	/* SHA3-512 digest length */
 	MD4dlen=	16,	/* MD4 digest length */
 	MD5dlen=	16,	/* MD5 digest length */
 	RIPEMD160dlen=	20,	/* RIPEMD-160 digest length */
@@ -241,20 +245,27 @@
 {
 	uvlong	len;
 	union {
-		u32int	state[16];
-		u64int	bstate[8];
+		uchar b[200];
+		u32int	state[50];
+		u64int	bstate[25];
 	};
 	uchar	buf[256];
 	int	blen;
+	int pt;
 	char	malloced;
 	char	seeded;
 };
+void sha3_keccakf(u64int st[25]);
 typedef struct DigestState SHAstate;	/* obsolete name */
 typedef struct DigestState SHA1state;
 typedef struct DigestState SHA2_224state;
 typedef struct DigestState SHA2_256state;
 typedef struct DigestState SHA2_384state;
 typedef struct DigestState SHA2_512state;
+typedef struct DigestState SHA3_224state;
+typedef struct DigestState SHA3_256state;
+typedef struct DigestState SHA3_384state;
+typedef struct DigestState SHA3_512state;
 typedef struct DigestState MD5state;
 typedef struct DigestState MD4state;
 
@@ -266,6 +277,11 @@
 DigestState*	sha2_256(uchar*, ulong, uchar*, DigestState*);
 DigestState*	sha2_384(uchar*, ulong, uchar*, DigestState*);
 DigestState*	sha2_512(uchar*, ulong, uchar*, DigestState*);
+DigestState*	sha3_224(uchar*, ulong, uchar*, DigestState*);
+DigestState*	sha3_256(uchar*, ulong, uchar*, DigestState*);
+DigestState*	sha3_384(uchar*, ulong, uchar*, DigestState*);
+DigestState*	sha3_512(uchar*, ulong, uchar*, DigestState*);
+
 DigestState*	hmac_x(uchar *p, ulong len, uchar *key, ulong klen,
 			uchar *digest, DigestState *s,
 			DigestState*(*x)(uchar*, ulong, uchar*, DigestState*),
diff -r 8582c03efdc9 sys/man/1/sum
--- a/sys/man/1/sum	Sun May 30 14:30:50 2021 +0200
+++ b/sys/man/1/sum	Mon May 31 08:55:39 2021 -0700
@@ -19,6 +19,10 @@
 [
 .B -2
 .I bits
+] 
+[
+.B -3
+.I bits
 ] [
 .I file ...
 ]
@@ -82,6 +86,12 @@
 384,
 and
 512.
+The 
+.L 3
+option has the same behavior of
+.L 2
+, but instead outputs with
+NIST SHA3 secure hash algorithm.
 .SH SOURCE
 .B /sys/src/cmd/sum.c
 .br
@@ -92,3 +102,5 @@
 .IR cmp (1),
 .IR wc (1),
 .IR sechash (2)
+.SH BUGS
+md5 and SHA-1 are considered broken and should not be used
diff -r 8582c03efdc9 sys/man/2/sechash
--- a/sys/man/2/sechash	Sun May 30 14:30:50 2021 +0200
+++ b/sys/man/2/sechash	Mon May 31 08:55:39 2021 -0700
@@ -1,7 +1,7 @@
 .TH SECHASH 2
 .SH NAME
 md4, md5, ripemd160,
-sha1, sha2_224, sha2_256, sha2_384, sha2_512,
+sha1, sha2_224, sha2_256, sha2_384, sha2_512,sha3_224, sha3_256, sha3_384, sha3_512,
 hmac_x, hmac_md5, hmac_sha1, hmac_sha2_224, hmac_sha2_256, hmac_sha2_384, hmac_sha2_512,
 poly1305 \- cryptographically secure hashes
 .SH SYNOPSIS
@@ -43,6 +43,16 @@
 .Ti
 DS*	sha2_512(uchar *data, ulong dlen, uchar *digest, DS *state)
 .Ti
+DS*	sha3(uchar *data, ulong dlen, uchar *digest, int dlen, DS *state)
+.Ti
+DS*	sha3_224(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_256(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_384(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_512(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
 DS*	hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DS *s, DS*(*x)(uchar*, ulong, uchar*, DS*), int xlen)
 .Ti
 DS*	hmac_md5(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
@@ -78,6 +88,10 @@
 .IR sha2_256 ,
 .IR sha2_384 ,
 .IR sha2_512 ,
+.IR sha3_224 ,
+.IR sha3_256 ,
+.IR sha3_384 ,
+.IR sha3_512 ,
 differ only in the length of the resulting digest
 and in the security of the hash.
 .I Sha2_*
@@ -107,7 +121,11 @@
 .IR SHA2_224dlen ,
 .IR SHA2_256dlen ,
 .IR SHA2_384dlen ,
-.I SHA2_512dlen
+.I SHA2_512dlen,
+.IR SHA3_224dlen ,
+.IR SHA3_256dlen ,
+.IR SHA3_384dlen ,
+.I SHA3_512dlen
 and
 .I Poly1305dlen
 define the lengths of the digests.
@@ -172,3 +190,5 @@
 .TP
 .B /lib/rfc/rfc2104
 HMAC specification
+.SH BUGS
+md4, md5 and SHA-1 are considered broken and should not be used
diff -r 8582c03efdc9 sys/src/cmd/sha1sum.c
--- a/sys/src/cmd/sha1sum.c	Sun May 30 14:30:50 2021 +0200
+++ b/sys/src/cmd/sha1sum.c	Mon May 31 08:55:39 2021 -0700
@@ -23,6 +23,13 @@
 	512,	SHA2_512dlen,	sha2_512,
 };
 
+static Sha2 sha3s[] = { /* This naming sucks */
+	224,	SHA3_224dlen,	sha3_224,
+	256,	SHA3_256dlen,	sha3_256,
+	384,	SHA3_384dlen,	sha3_384,
+	512,	SHA3_512dlen,	sha3_512,
+};
+
 static DigestState* (*shafunc)(uchar *, ulong, uchar *, DigestState *);
 static int shadlen;
 
@@ -64,7 +71,7 @@
 static void
 usage(void)
 {
-	fprint(2, "usage: %s [-2 bits] [file...]\n", argv0);
+	fprint(2, "usage: %s [-2 bits] [-3 bits] [file...]\n", argv0);
 	exits("usage");
 }
 
@@ -87,6 +94,16 @@
 		shafunc = sha->func;
 		shadlen = sha->dlen;
 		break;
+	case '3':
+		bits = atoi(EARGF(usage()));
+		for (sha = sha3s; sha < sha3s + nelem(sha3s); sha++)
+			if (sha->bits == bits)
+				break;
+		if (sha >= sha3s + nelem(sha2s))
+			sysfatal("unknown number of sha3 bits: %d", bits);
+		shafunc = sha->func;
+		shadlen = sha->dlen;
+		break;
 	default:
 		usage();
 	}ARGEND
diff -r 8582c03efdc9 sys/src/libsec/port/mkfile
--- a/sys/src/libsec/port/mkfile	Sun May 30 14:30:50 2021 +0200
+++ b/sys/src/libsec/port/mkfile	Mon May 31 08:55:39 2021 -0700
@@ -7,6 +7,7 @@
 	blowfish.c \
 	hmac.c md5.c md5block.c md4.c sha1.c sha1block.c\
 	sha2_64.c sha2_128.c sha2block64.c sha2block128.c\
+	sha3.c sha3_keccakf.c\
 	poly1305.c\
 	rc4.c\
 	chacha.c chachablock.c\
diff -r 8582c03efdc9 sys/src/libsec/port/sha3.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/src/libsec/port/sha3.c	Mon May 31 08:55:39 2021 -0700
@@ -0,0 +1,57 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+DigestState*
+sha3(uchar *p, ulong len, uchar *digest, int dlen, DigestState* s){
+	ulong i;
+	int j;
+	if(s == nil) {
+		s = mallocz(sizeof(*s), 1);
+		if(s == nil)
+			return nil;
+		s->malloced = 1;
+		s->blen = 200 - 2 * dlen;
+	}
+	j = s->pt;
+	for (i = 0; i < len; i++) {
+		s->b[j++] ^= p[i];
+		if (j >= s->blen) {
+			sha3_keccakf(s->bstate);
+			j = 0;
+		}
+	}
+	s->pt = j;
+
+	/* Don't go past this point if we're not writing the digest */
+	if(digest == nil)
+		return s;
+	s->b[s->pt] ^= 0x06;
+	s->b[s->blen - 1] ^= 0x80;
+	sha3_keccakf(s->bstate);
+	for (i = 0; i < dlen; i++) {
+		digest[i] = s->b[i];
+	}
+
+	return s;
+}
+
+DigestState*
+sha3_224(uchar *p, ulong len, uchar *digest, SHA3_224state* s){
+	return sha3(p, len, digest, 28, s);
+}
+
+DigestState*
+sha3_256(uchar *p, ulong len, uchar *digest, SHA3_256state* s){
+	return sha3(p, len, digest, 32, s);
+}
+
+DigestState*
+sha3_384(uchar *p, ulong len, uchar *digest, SHA3_384state* s){
+	return sha3(p, len, digest, 48, s);
+}
+
+DigestState*
+sha3_512(uchar *p, ulong len, uchar *digest, SHA3_512state* s){
+	return sha3(p, len, digest, 64, s);
+}

Re: [9front] [PATCH] sha3 but fixed the code style

[cinap_lenrek]

where is sha3_keccakf.c?


-.I SHA2_512dlen
+.I SHA2_512dlen,

why not:

-.I SHA2_512dlen
+.IR SHA2_512dlen ,

--

sha3() leaks DigestDstate. suggested change:
	...
	sha3_keccakf(s->bstate);
	memmove(digest, s->b, dlen);
	if(s->alloced)
		free(s);
	return nil;

--

+	j = s->pt;
+	for (i = 0; i < len; i++) {
+		s->b[j++] ^= p[i];
+		if (j >= s->blen) {
+			sha3_keccakf(s->bstate);
+			j = 0;
+		}
+	}
+	s->pt = j;

doing the xor byte-by-byte sucks.

--

 	union {
-		u32int	state[16];
-		u64int	bstate[8];
+		uchar b[200];
+		u32int	state[50];
+		u64int	bstate[25];
 	};

i do not like b[200] aliasing bstate here. i think it would be better to
handle this explicitely in the code.

--
cinap

Re: [9front] [PATCH] sha3 but fixed the code style

[fulton]

Quoth cinap_lenrek@felloff.net:
> i do not like b[200] aliasing bstate here. i think it would be better to
> handle this explicitely in the code.

Why?

--
Fulton fulton.software!fulton

Re: [9front] [PATCH] sha3 but fixed the code style

[fulton]

Quoth cinap_lenrek@felloff.net:
> where is sha3_keccakf.c?
> 
> 
> -.I SHA2_512dlen
> +.I SHA2_512dlen,
> 
> why not:
> 
> -.I SHA2_512dlen
> +.IR SHA2_512dlen ,
> 
> --
> 
> sha3() leaks DigestDstate. suggested change:
> 	...
> 	sha3_keccakf(s->bstate);
> 	memmove(digest, s->b, dlen);
> 	if(s->alloced)
> 		free(s);
> 	return nil;
> 
> --

Fixed those issues:

diff -r 8582c03efdc9 sys/man/1/sum
--- a/sys/man/1/sum	Sun May 30 14:30:50 2021 +0200
+++ b/sys/man/1/sum	Tue Jun 01 12:50:25 2021 -0700
@@ -19,6 +19,10 @@
 [
 .B -2
 .I bits
+] 
+[
+.B -3
+.I bits
 ] [
 .I file ...
 ]
@@ -82,6 +86,12 @@
 384,
 and
 512.
+The 
+.L 3
+option has the same behavior of
+.L 2
+, but instead outputs with
+NIST SHA3 secure hash algorithm.
 .SH SOURCE
 .B /sys/src/cmd/sum.c
 .br
@@ -92,3 +102,5 @@
 .IR cmp (1),
 .IR wc (1),
 .IR sechash (2)
+.SH BUGS
+md5 and SHA-1 are considered broken and should not be used
diff -r 8582c03efdc9 sys/man/2/sechash
--- a/sys/man/2/sechash	Sun May 30 14:30:50 2021 +0200
+++ b/sys/man/2/sechash	Tue Jun 01 12:50:25 2021 -0700
@@ -1,7 +1,7 @@
 .TH SECHASH 2
 .SH NAME
 md4, md5, ripemd160,
-sha1, sha2_224, sha2_256, sha2_384, sha2_512,
+sha1, sha2_224, sha2_256, sha2_384, sha2_512,sha3_224, sha3_256, sha3_384, sha3_512,
 hmac_x, hmac_md5, hmac_sha1, hmac_sha2_224, hmac_sha2_256, hmac_sha2_384, hmac_sha2_512,
 poly1305 \- cryptographically secure hashes
 .SH SYNOPSIS
@@ -43,6 +43,16 @@
 .Ti
 DS*	sha2_512(uchar *data, ulong dlen, uchar *digest, DS *state)
 .Ti
+DS*	sha3(uchar *data, ulong dlen, uchar *digest, int dlen, DS *state)
+.Ti
+DS*	sha3_224(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_256(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_384(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
+DS*	sha3_512(uchar *data, ulong dlen, uchar *digest, DS *state)
+.Ti
 DS*	hmac_x(uchar *p, ulong len, uchar *key, ulong klen, uchar *digest, DS *s, DS*(*x)(uchar*, ulong, uchar*, DS*), int xlen)
 .Ti
 DS*	hmac_md5(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest, DS *state)
@@ -78,6 +88,10 @@
 .IR sha2_256 ,
 .IR sha2_384 ,
 .IR sha2_512 ,
+.IR sha3_224 ,
+.IR sha3_256 ,
+.IR sha3_384 ,
+.IR sha3_512 ,
 differ only in the length of the resulting digest
 and in the security of the hash.
 .I Sha2_*
@@ -107,7 +121,11 @@
 .IR SHA2_224dlen ,
 .IR SHA2_256dlen ,
 .IR SHA2_384dlen ,
-.I SHA2_512dlen
+.I SHA2_512dlen ,
+.IR SHA3_224dlen ,
+.IR SHA3_256dlen ,
+.IR SHA3_384dlen ,
+.I SHA3_512dlen
 and
 .I Poly1305dlen
 define the lengths of the digests.
@@ -172,3 +190,5 @@
 .TP
 .B /lib/rfc/rfc2104
 HMAC specification
+.SH BUGS
+md4, md5 and SHA-1 are considered broken and should not be used
diff -r 8582c03efdc9 sys/src/cmd/sha1sum.c
--- a/sys/src/cmd/sha1sum.c	Sun May 30 14:30:50 2021 +0200
+++ b/sys/src/cmd/sha1sum.c	Tue Jun 01 12:50:25 2021 -0700
@@ -23,6 +23,13 @@
 	512,	SHA2_512dlen,	sha2_512,
 };
 
+static Sha2 sha3s[] = { /* This naming sucks */
+	224,	SHA3_224dlen,	sha3_224,
+	256,	SHA3_256dlen,	sha3_256,
+	384,	SHA3_384dlen,	sha3_384,
+	512,	SHA3_512dlen,	sha3_512,
+};
+
 static DigestState* (*shafunc)(uchar *, ulong, uchar *, DigestState *);
 static int shadlen;
 
@@ -64,7 +71,7 @@
 static void
 usage(void)
 {
-	fprint(2, "usage: %s [-2 bits] [file...]\n", argv0);
+	fprint(2, "usage: %s [-2 bits] [-3 bits] [file...]\n", argv0);
 	exits("usage");
 }
 
@@ -87,6 +94,16 @@
 		shafunc = sha->func;
 		shadlen = sha->dlen;
 		break;
+	case '3':
+		bits = atoi(EARGF(usage()));
+		for (sha = sha3s; sha < sha3s + nelem(sha3s); sha++)
+			if (sha->bits == bits)
+				break;
+		if (sha >= sha3s + nelem(sha2s))
+			sysfatal("unknown number of sha3 bits: %d", bits);
+		shafunc = sha->func;
+		shadlen = sha->dlen;
+		break;
 	default:
 		usage();
 	}ARGEND
diff -r 8582c03efdc9 sys/src/libsec/port/sha3.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/src/libsec/port/sha3.c	Tue Jun 01 12:50:25 2021 -0700
@@ -0,0 +1,57 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+
+DigestState*
+sha3(uchar *p, ulong len, uchar *digest, int dlen, DigestState* s){
+	ulong i;
+	int j;
+	if(s == nil) {
+		s = mallocz(sizeof(*s), 1);
+		if(s == nil)
+			return nil;
+		s->malloced = 1;
+		s->blen = 200 - 2 * dlen;
+	}
+	j = s->pt;
+	for (i = 0; i < len; i++) {
+		s->b[j++] ^= p[i];
+		if (j >= s->blen) {
+			sha3_keccakf(s->bstate);
+			j = 0;
+		}
+	}
+	s->pt = j;
+
+	/* Don't go past this point if we're not writing the digest */
+	if(digest == nil)
+		return s;
+	s->b[s->pt] ^= 0x06;
+	s->b[s->blen - 1] ^= 0x80;
+	sha3_keccakf(s->bstate);
+	memmove(digest, s->b, dlen);
+	if(s->malloced)
+		free(s);
+
+	return s;
+}
+
+DigestState*
+sha3_224(uchar *p, ulong len, uchar *digest, SHA3_224state* s){
+	return sha3(p, len, digest, 28, s);
+}
+
+DigestState*
+sha3_256(uchar *p, ulong len, uchar *digest, SHA3_256state* s){
+	return sha3(p, len, digest, 32, s);
+}
+
+DigestState*
+sha3_384(uchar *p, ulong len, uchar *digest, SHA3_384state* s){
+	return sha3(p, len, digest, 48, s);
+}
+
+DigestState*
+sha3_512(uchar *p, ulong len, uchar *digest, SHA3_512state* s){
+	return sha3(p, len, digest, 64, s);
+}
diff -r 8582c03efdc9 sys/src/libsec/port/sha3_keccakf.c
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/src/libsec/port/sha3_keccakf.c	Tue Jun 01 12:50:25 2021 -0700
@@ -0,0 +1,69 @@
+#include <u.h>
+#include <libc.h>
+#include <libsec.h>
+#define KECCAKF_ROUNDS 24
+#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y))))
+
+void sha3_keccakf(u64int st[25])
+{
+    // constants
+    const u64int keccakf_rndc[24] = {
+        0x0000000000000001, 0x0000000000008082, 0x800000000000808a,
+        0x8000000080008000, 0x000000000000808b, 0x0000000080000001,
+        0x8000000080008081, 0x8000000000008009, 0x000000000000008a,
+        0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
+        0x000000008000808b, 0x800000000000008b, 0x8000000000008089,
+        0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
+        0x000000000000800a, 0x800000008000000a, 0x8000000080008081,
+        0x8000000000008080, 0x0000000080000001, 0x8000000080008008
+    };
+    const int keccakf_rotc[24] = {
+        1,  3,  6,  10, 15, 21, 28, 36, 45, 55, 2,  14,
+        27, 41, 56, 8,  25, 43, 62, 18, 39, 61, 20, 44
+    };
+    const int keccakf_piln[24] = {
+        10, 7,  11, 17, 18, 3, 5,  16, 8,  21, 24, 4,
+        15, 23, 19, 13, 12, 2, 20, 14, 22, 9,  6,  1
+    };
+
+    /* variables */
+    int i, j, r;
+    u64int t, bc[5];
+
+
+    /* actual iteration */
+    for (r = 0; r < KECCAKF_ROUNDS; r++) {
+
+        // Theta
+        for (i = 0; i < 5; i++)
+            bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] ^ st[i + 20];
+
+        for (i = 0; i < 5; i++) {
+            t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1);
+            for (j = 0; j < 25; j += 5)
+                st[j + i] ^= t;
+        }
+
+        /* Rho Pi */
+        t = st[1];
+        for (i = 0; i < 24; i++) {
+            j = keccakf_piln[i];
+            bc[0] = st[j];
+            st[j] = ROTL64(t, keccakf_rotc[i]);
+            t = bc[0];
+        }
+
+        /* Chi */
+        for (j = 0; j < 25; j += 5) {
+            for (i = 0; i < 5; i++)
+                bc[i] = st[j + i];
+            for (i = 0; i < 5; i++)
+                st[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5];
+        }
+
+        /* Iota */
+        st[0] ^= keccakf_rndc[r];
+    }
+
+
+}

Re: [9front] [PATCH] sha3 but fixed the code style

[cinap_lenrek]

- sha3() needs to return nil on final run.

- still the aliasing with DigestState.b[200]

note, that this also will not work on big endian machines. you can
try this with the mips instruction emulator vi(1).

byte-by-byte xor is stupid.

- sha3_keccakf() seems more than sub-optimal

64-bit constants need to have ULL prefix.

for example, the indexing will be done twice because of the ROTL64() macro

loops not unrolled, especially with the mod 5 indexing (divisions can be very slow)

i bet you havnt written this code, where is this from? if you use someone
elses code it is always a good idea to attribute the original authors.

do you have test vectors?

--
cinap

Re: [9front] [PATCH] sha3 but fixed the code style

[cinap_lenrek]

big endian and readability. from the code it is not obvious that they alias.

--
cinap

Re: [9front] [PATCH] sha3 but fixed the code style

[kemal]

hello,

> - sha3_keccakf() seems more than sub-optimal
>
> 64-bit constants need to have ULL prefix.
>
> for example, the indexing will be done twice because of the ROTL64() macro
>
> loops not unrolled, especially with the mod 5 indexing (divisions can be
> very slow)

i stole go's keccakf code, and translated it into c. it just uses
bitwise operations and loops are unrolled. looks definitely better
than the current one. can fulton test if this actually works?

http://okturing.com/src/11179/body

Re: [9front] [PATCH] sha3 but fixed the code style

[kemal]

> http://okturing.com/src/11179/body

ok i think i misunderstood go's '&^' bit clear operator
use this instead

http://okturing.com/src/11180/body

Re: [9front] [PATCH] sha3 but fixed the code style

[cinap_lenrek]

hm.... are you sure you should use 64-bit *SIGNED* integers here?
wouldnt that screw up the bit rotations because of the sign bit
replication on down shift?

> can fulton test if this actually works?

the right thing todo is to provide unit test with test vectors
from the spec... it doesnt need to be in the mkfile... just like
sha2test.c and chachatest.c.

--
cinap

Re: [9front] [PATCH] sha3 but fixed the code style

[fulton]

I did attribute the authors in my first post email post, that email never went through and I should have re-attributed the author

https://github.com/mjosaarinen/tiny_sha3

> - sha3() needs to return nil on final run. 
- I'll fix that

>note, that this also will not work on big endian machines. you can
>try this with the mips instruction emulator vi(1).
I don't know how much I can do about that, but I'll look in to it.

>byte-by-byte xor is stupid.

I don't love it either, but I in this case it may be the best way to get it working, but I can change it.

>sha3_keccakf() seems more than sub-optimal

i'll rewrite it.

--
Fulton fulton.software!fulton

Re: [9front] [PATCH] sha3 but fixed the code style

[ori]

Quoth kemal <kemalinanc8@gmail.com>:
> > http://okturing.com/src/11179/body
> 
> ok i think i misunderstood go's '&^' bit clear operator
> use this instead
> 
> http://okturing.com/src/11180/body

Does it pass the test vectors? Do you
have code to prove it?

Re: [9front] [PATCH] sha3 but fixed the code style

[fulton]

Quoth kemal <kemalinanc8@gmail.com>:
> hello,
> 
> > - sha3_keccakf() seems more than sub-optimal
> >
> > 64-bit constants need to have ULL prefix.
> >
> > for example, the indexing will be done twice because of the ROTL64() macro
> >
> > loops not unrolled, especially with the mod 5 indexing (divisions can be
> > very slow)
> 
> i stole go's keccakf code, and translated it into c. it just uses
> bitwise operations and loops are unrolled. looks definitely better
> than the current one. can fulton test if this actually works?
> 
> http://okturing.com/src/11179/body
> 
That didn't seem to work. it should look like this:

; echo test | sha1sum -3 256
34a0b893b66e312a8b0f7dc4bc4c7930b67f8823513aff5444fb5c64aa060c5a
; echo test | sha1sum -3 512
1a39794b53431e9abc34368ed4824dbac59d6c6417792279b0ec2c91d6eb58af72f9d4b1e3b613a05891c2c1a17a820bcf829cb323c4299b219e5ab299794581
; sha1sum -3 256 /386/9pc
512b4ee0051cdac52210e1216786aa43625aad842a9d4d2a6f796738692715ef	/386/9pc
; 

Verified by rhash(1) on unix

This isi what thr go patch looks like:
;  echo test | ./sha1sum -3 256
1b39c5c0855bccd2ebf2a8c490f7cfb49c276a9b81fb336c5621e235fa5390fd
;  echo test | ./sha1sum -3 512
dfbef5bc56120523b305cca4254ba61a94393cd7808d5c6434f09664793ecca5ccb2b7ac2b483430d42d6b42654d48d514ad2385699c586f885622e013ce27b0
; ./sha1sum -3 256 /386/9pc
e758b8170222a207a584df37662b9095c71310c1411cfa9b95b63a1dfa30af9d	/386/9pc

I'll look in to it. It may just be a case of not enough rounds (should be 24) or some simple bug like that,

--
Fulton fulton.software!fulton

Re: [9front] [PATCH] sha3 but fixed the code style

[fulton]

Quoth kemal <kemalinanc8@gmail.com>:
> > http://okturing.com/src/11179/body
> 
> ok i think i misunderstood go's '&^' bit clear operator
> use this instead
> 
> http://okturing.com/src/11180/body
> 

Just got this one, it works :D thanks kemal.

--
Fulton fulton.software!fulton

Re: [9front] [PATCH] sha3 but fixed the code style

[hiro]

> I don't know how much I can do about that, but I'll look in to it.

what do you mean? if your code is independent of byte ordering then i
think you should know what is meant here, even without knowing
anything about mips (it was an example).

On 6/2/21, fulton@fulton.software <fulton@fulton.software> wrote:
> I did attribute the authors in my first post email post, that email never
> went through and I should have re-attributed the author
>
> https://github.com/mjosaarinen/tiny_sha3
>
>> - sha3() needs to return nil on final run.
> - I'll fix that
>
>>note, that this also will not work on big endian machines. you can
>>try this with the mips instruction emulator vi(1).
> I don't know how much I can do about that, but I'll look in to it.
>
>>byte-by-byte xor is stupid.
>
> I don't love it either, but I in this case it may be the best way to get it
> working, but I can change it.
>
>>sha3_keccakf() seems more than sub-optimal
>
> i'll rewrite it.
>
> --
> Fulton fulton.software!fulton
>