Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHAKE Incremental Byte Squeezes && EVP_ Tests #2155

Merged
merged 68 commits into from
Feb 24, 2025
Merged

SHAKE Incremental Byte Squeezes && EVP_ Tests #2155

merged 68 commits into from
Feb 24, 2025

Conversation

manastasova
Copy link
Contributor

Issues:

Resolves #CryptoAlg-2835 &&
Resolves #CryptoAlg-2836

Description of changes:

AWS-LC supports SHA3 and SHAKE algorithms. SHAKE, as defined in FIPS202, is an extendible output function, where the output data could be generated by multiple calls to "squeeze" function. Currently, there are two main features (internal and external APIs support) that are not supported by AWS-LC:

  • (Internal APIs) Currently, AWS-LC supports incremental XOF output (internal only via SHAKE_Squeeze) generation when the requested data is a multiple of the |block_size|. I.e., ceil(requested_output_bytes/block_size) full blocks will be generated and directly outputted without internal buffering. Thus, it is the user's (other algorithm) responsibility to manage output data when the request is not a multiple of the |block_size|.
  • Currently, AWS-LC does not support external (EVP_Digest) APIs for incremental squeezes.

This PR add both features for incremental squeezes in arbitrary length output requests (up to a byte):

  • Internal APIs (SHAKE_) changes:
    • Add support for incremental |SHAKE_Squeeze| with arbitrary size (up to a byte) output requests via internal buffer.
    • Add KECCAK600_CTX struct |state| field updates and checks yo ensure functions are called only in the corresponding bitstate, e.g., |KECCAK1600_STATE_SQUEEZE| allows further bitstate squeezes, |KECCAK1600_STATE_FINAL| does not allow further squeezes, etc.
  • External APIs (EVP_Digest) changes:
    • Add external API support for incremental |SHAKE_Squeeze| with arbitrary size (up to a byte) output requests via |EVP_DigestSqueeze|.
    • Restrict the number of calls to |EVP_DigestFinalXOF| to only one. For incremental squeeze functionality |EVP_DigestSqueeze| should be used.
    • Restrict the use of |EVP_DigestFinal| to hash algorithms only. For XOF algorithms |EVP_DigestFinalXOF| and |EVP_DigestSqueeze| should be used.

This PR adds more tests for EVP_Digest XOF functionality (all test are running through the entire NIST Test Vector list):

  • External APIs (EVP_Digest) additional tests:
    • Test Final - Assert fail when |EVP_DigestFinal| is called for XOF algorithms
    • Test Absorb - Assert success when |EVP_DigestUpdate| is called byte-by-byte
    • Test Squeeze - Assert success when |EVP_DigestSqueeze| is called byte-by-byte
    • Test Squeeze - Assert success when |EVP_DigestSqueeze| is called in set byte increments
    • Test Squeeze with random Input - Assert success when |EVP_DigestSqueeze| is called on a random message
    • Test Squeeze with random Input - Assert success when |EVP_DigestSqueeze| is called on a random message in set byte increments
    • Test Final XOF without Update - Assert fail when |EVP_DigestFinalXOF| is called as a streaming API

Call-outs:

Service indicator is updated:

  • Inside SHAKE_Squeeze (Streaming XOF Squeezes output generation does not update the service indicator after each extendable output update);

Testing:

./crypto/crypto_test --gtest_filter="SHAKETest.*"

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

manastasova and others added 30 commits December 30, 2024 16:57
@manastasova
Introduce SHA3/SHAKE layered API design; Only SHA3/SHAKE files updates
c6ed451 
Define Keccak1600, FIPS202, and SHA3/SHAKE API layers

Keccak1600 implements absorb and squeeze functionalities. It defines the lowest lever APIs for SHA3/SHAKE; Keccak1600 functions only process complete blocks; internal input/output buffers are handles by higher layer (FIPS202) APIs.

FIPS202 APIs handle the internal input/output buffers to allow incremental function calls. FIPS202 layer is used by both SHA3 and SHAKE high level APIs. FIPS202 defines Reset, Init, Update, Finalize APIs.

SHA3/SHAKE layer implements the SHA3 and SHAKE algorithms. SHA3 supports Init, Update and Final APIs since it produces a given length digest and should be Finalized in a single Final function call. SHAKE supports Init, Update, Finalize and Squeeze APIs since it can generate arbitrary length output in incremental way. SHAKE_Finalize processes padding and absorb of last input block and generates the first output value; Incremental XOF output generation is defined by SHAKE_Squeeze function which implements the squeeze phase (it does not finalize the absorb, SHAKE_Squeeze can be only called after SHAKE_Finalize
@manastasova
Add changes to ML-KEM based on SHA3/SHAKE new API Design
a05d255 
Note: symmetric-shake.c will be inlined, therefore, additional checks for |ctx->padded| flag will be omitted (SHAKE_Finalize should be called once to finalize absorb and initialize squeeze phase; SHAKE_Squeeze should be called to generate additional incremental XOF output).
@manastasova
Add changes to ML-DSA based on SHA3/SHAKE new API Design
50cf7fa 
Update blocksize/rate macro names
@manastasova
Update build files in generated-src
4b0b92e
@manastasova
Update service indicator in SHA3_Final
eb992ea
@manastasova
Initialize |ctx->padded| to 0 for SHAKE inside SHAKE_Init
d40fbec
@manastasova
Update service indicator at the end of SHAKE_Finalize; The XOF functi…
adb910d 
…on may not be completed (incremental XOF output request); however, the SHAKE_Finalize function completes the first requested output, thus, SHAKE has processed the first valid output value
@manastasova
Fix conflicts with MLDSA parameters renaming
02b8085
@manastasova
Merge branch 'main' into sha3_absorb_squeeze
e61be0d
@manastasova
Merge branch 'aws:main' into sha3_absorb_squeeze
3008821
@manastasova
Update SHAKE single-shot and streaming APIs
2a1622f 
Rename SHAKE_Update to SHAKE_Absorb; Define SHAKE_Final as a single-shot API; Defined SHAKE_Squeeze as an incremental (independent) API. It can can be called immediately after SHAKE_Absorb; SHAKE_Squeeze will finalize absorb phase and initiate squeeze phase; When called a signle time SHAKE_Squeeze has the same behavior as SHAKE_Final, SHAKE_Final cannot be called consecutive times; SHAKE_Squeeze can be called multiple times; SHAKE_Squeeze can be called after SHAKE_Final (to squeeze more bytes).
@manastasova
Update incremental block-wise SHAKE squeezes in MLKEM
c5d0afd
@manastasova
Update incremental block-wise SHAKE squeezes in MLDSA
b6a5590
@manastasova
Replace |keccak_st->padded| flag with |keccak_st->state| flag
7ccaeba 
Allow KECCAK1600_STATE_ABSORB, KECCAK1600_STATE_SQUEEZE, KECCAK1600_STATE_FINAL state flag values to prevent incremental usage of SHAKE_Final or SHAKE_Squeeze after SHAKE_Final

The cahnge is introduced for consistency reasons

KECCAK1600_STATE_ABSORB corresponds to |ctx->padded| = 0 (NOT_PADDED), KECCAK1600_STATE_SQUEEZE corresponds to |ctx->padded| = 1 (PADDED), and KECCAK1600_STATE_FINAL blocks incremental Squeeze calls.
@manastasova
Update MLKEM and MLDSA
7edb6c7
@manastasova
Update Keccak state flag in SHA3 functions
7386c1b
@manastasova
Address code review comments
e424771 
Make FIPS202 functions static; Do not export SHA3 and SHAKE internal functions
@manastasova
Add export macro to functions in the tests
6597af1
@manastasova
Merge branch 'aws:main' into sha3_absorb_squeeze
7766425
@manastasova
Rename Absorb and Squeeze functions to Keccak1600_ layer specific
ff3cbd8 
Clean redefinition of SHAKE blocksize/rate macros; Update their use inside MLKEM and MLDSA.
@manastasova
Update build files in generated-src
680dd43
@manastasova @jakemas
Apply suggestions from code review
872d368 
Fix alignment

Co-authored-by: Jake Massimo <jakemas@amazon.com>
@manastasova
Move all common |ctx->state| flag checks in the FIPS202 layer
5780ee5 
Upon Init, the |ctx->state| is set to |KECCAK1600_STATE_ABSORB| allowing absorb calls from both SHA3 and SHAKE; Upon Finalize (padding and last absorb) SHA3 and SHAKE (Final or incremental Squeeze) behave in a different way; thus, the |ctx->state| is set to |KECCAK1600_STATE_FINAL| when no incremental calls are allowed (|SHA3_Final| and |SHAKE_Final| and to |KECCAK1600_STATE_SQUEEZE| when incremental squeezes are allowed (SHAKE_Squeeze).
@manastasova
Merge branch 'sha3_absorb_squeeze' of github.com:manastasova/aws-lc i…
3f43dde 
…nto sha3_absorb_squeeze
@manastasova
Update MLKEM and MLDSA
07bac7c
@manastasova
Merge branch 'main' of github.com:aws/aws-lc into sha3_absorb_squeeze
2973e4a
@manastasova
Remove SHAKE_Squeeze service indicator update
86fa4b0
@manastasova
Merge branch 'main' of github.com:aws/aws-lc into sha3_absorb_squeeze
36ab448
@manastasova
Bring back exports
b2228b6
@manastasova
Merge branch 'main' of github.com:aws/aws-lc into sha3_only_rename
14da500
justsmth
justsmth reviewed Feb 10, 2025
View reviewed changes
@manastasova
Address PR comments
41dbf6d 
Remove local variable updates before return; Add return values comments
justsmth
justsmth previously approved these changes Feb 11, 2025
View reviewed changes
@manastasova
Add tests for XOF-specific functions squeeze and update called on non…
e5fbc6d 
… XOF digests to increase code coverage

upstream merge - squash commits from upstream.
andrewhop
andrewhop reviewed Feb 19, 2025
View reviewed changes
justsmth
justsmth previously approved these changes Feb 20, 2025
View reviewed changes
manastasova and others added 5 commits February 20, 2025 09:37
@manastasova
Merge branch 'main' into shake_bytes
686e88e
@manastasova
Add exhaustive SHAKE Squeeze tests
72efbcf 
Test each possible chunck size (|to_sq_bytes| from 1 to |digest_length|) to generate the expected output as incremental Squeeze calls, requesting |to_sq_bytes| bytes in each individual call
@manastasova
Merge branch 'shake_bytes' of github.com:manastasova/aws-lc into shak…
371dccb 
…e_bytes
@manastasova
Add Exhaustive Squeeze test
5c23fdf
@manastasova
Add exhaustive SHAKE Squeeze tests
2ba44aa 
Test each possible chunck size (|to_sq_bytes| from 1 to |digest_length|) to generate the expected output as incremental Squeeze calls, requesting |to_sq_bytes| bytes in each individual call
@justsmth justsmth merged commit 493207c into aws:main Feb 24, 2025
111 of 113 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewhop andrewhop andrewhop approved these changes

@justsmth justsmth justsmth approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@manastasova @codecov-commenter @andrewhop @justsmth