search

debris / tiny-keccak

An implementation of Keccak derived functions specified in FIPS-202, SP800-185 and KangarooTwelve
Creative Commons Zero v1.0 Universal
193 stars 49 forks source link

Add support for half-duplex use #24

Closed oleganza closed 4 years ago

oleganza commented 6 years ago

This patch improves the API by allowing squeezing output any number of times, and switching between absorbing and squeezing any number of times.

Methods absorb and squeeze automatically keep track of the current offset in the Keccak state and apply necessary padding and/or permutation when transitioning from one mode to another.

As a result, XofReader is changed to a simple type alias and can be removed in the long term. Note that XofReader does not allow switching back to absorbing.

The rationale for half-duplex API is to enable use of Keccak in cryptographic protocol that employ "random oracle" via a Fiat-Shamir transform. Such protocols have to switch between committing some data (absorbing into a sponge) and generating challenges (squeezing the sponge).

oleganza commented 6 years ago

Thanks for the feedback! Is there an actual code that uses absorb/squeeze/absorb/finalize sequence? As far as I could tell, it is generally not safe to squeeze after absorb w/o a full permutation. Also, doing absorb after squeeze in the existing implementation is also not safe as the input is mixed with the same data that was just squeezed (because squeeze does not advance the offset).

oleganza commented 6 years ago

At the same time, I just checked the Keyak v2 paper and it seems like it's doing something else (although still safe): absorbing is performed on both the outer part (as in current Keccak implementation) and on the inner part of the state.

screen shot 2018-03-16 at 10 36 24
debris commented 4 years ago

Hey! In recent days I revisited the tiny-keccak crate and crafted a new API for it. I also took into consideration your pull request again and improved the API accordingly so it is possible to switch between absorbing and squeezing any number of times for some of the XOF functions. For now it is only SHAKE and cSHAKE, but if there's a real life use case to also add it for SHA3, I see no reason to block it.

You can checkout the new API here: docs.rs/tiny-keccak

Also, I've made so many changes internally in the crate, that I couldn't easily cherry-pick changes from this PR, but I acknowledged you in the credits section of the documentation. Hope you don't mind.