ascon_cxof128.c
Go to the documentation of this file.
1 /**
2  * @file ascon_cxof128.c
3  * @brief Ascon-CXOF128 customizable extendable-output function
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2025 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @section Description
28  *
29  * Ascon-CXOF128 is a customized eXtendable Output Functions (XOF) that allows
30  * users to specify a customization string and choose the output size of the
31  * message hash. It supports a security strength of up to 128 bits
32  *
33  * @author Oryx Embedded SARL (www.oryx-embedded.com)
34  * @version 2.5.0
35  **/
36 
37 //Switch to the appropriate trace level
38 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
39 
40 //Dependencies
41 #include "core/crypto.h"
42 #include "lwc/ascon_cxof128.h"
43 
44 //Check crypto library configuration
45 #if (ASCON_CXOF128_SUPPORT == ENABLED)
46 
47 
48 /**
49  * @brief Digest a message using Ascon-CXOF128
50  * @param[in] input Pointer to the input data
51  * @param[in] inputLen Length of the input data
52  * @param[in] custom Customization string (Z)
53  * @param[in] customLen Length of the customization string
54  * @param[out] output Pointer to the output data
55  * @param[in] outputLen Expected length of the output data
56  * @return Error code
57  **/
58 
59 error_t asconCxof128Compute(const void *input, size_t inputLen,
60  const char_t *custom, size_t customLen, uint8_t *output, size_t outputLen)
61 {
62  error_t error;
63 #if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)
64  AsconCxof128Context *context;
65 #else
66  AsconCxof128Context context[1];
67 #endif
68 
69  //Check parameters
70  if(input == NULL && inputLen != 0)
71  return ERROR_INVALID_PARAMETER;
72 
73  if(output == NULL && outputLen != 0)
74  return ERROR_INVALID_PARAMETER;
75 
76 #if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)
77  //Allocate a memory buffer to hold the Ascon-CXOF128 context
78  context = cryptoAllocMem(sizeof(AsconCxof128Context));
79  //Failed to allocate memory?
80  if(context == NULL)
81  return ERROR_OUT_OF_MEMORY;
82 #endif
83 
84  //Initialize the Ascon-CXOF128 context
85  error = asconCxof128Init(context, custom, customLen);
86 
87  //Check status code
88  if(!error)
89  {
90  //Absorb input data
91  asconCxof128Absorb(context, input, inputLen);
92  //Finish absorbing phase
93  asconCxof128Final(context);
94  //Extract data from the squeezing phase
95  asconCxof128Squeeze(context, output, outputLen);
96  }
97 
98 #if (CRYPTO_STATIC_MEM_SUPPORT == DISABLED)
99  //Free previously allocated memory
100  cryptoFreeMem(context);
101 #endif
102 
103  //Return status code
104  return error;
105 }
106 
107 
108 /**
109  * @brief Initialize Ascon-CXOF128 context
110  * @param[in] context Pointer to the Ascon-CXOF128 context to initialize
111  * @param[in] custom Customization string (Z)
112  * @param[in] customLen Length of the customization string, in bytes
113  * @return Error code
114  **/
115 
116 error_t asconCxof128Init(AsconCxof128Context *context, const char_t *custom,
117  size_t customLen)
118 {
119  //Make sure the Ascon-CXOF128 context is valid
120  if(context == NULL)
121  return ERROR_INVALID_PARAMETER;
122 
123  //The length of the customization string shall be at most 2048 bits
124  if(customLen > 256)
125  return ERROR_INVALID_LENGTH;
126 
127  //For domain separation, Ascon-CXOF128 uses a different IV than Ascon-XOF128
128  context->state.x[0] = 0x00CC0004;
129  context->state.x[1] = 0x00000800;
130  context->state.x[2] = 0;
131  context->state.x[3] = 0;
132  context->state.x[4] = 0;
133  context->state.x[5] = 0;
134  context->state.x[6] = 0;
135  context->state.x[7] = 0;
136  context->state.x[8] = 0;
137  context->state.x[9] = 0;
138 
139  //Apply Ascon-p[12] permutation
140  asconP(&context->state, 12);
141 
142  //Z0 is a 64-bit integer that represents the bit-length of the customization
143  //string
144  STORE64LE(customLen * 8, context->buffer);
145 
146  //Update the state with Z0
147  context->state.x[0] ^= LOAD32LE(context->buffer);
148  context->state.x[1] ^= LOAD32LE(context->buffer + 4);
149 
150  //Apply Ascon-p[12] permutation
151  asconP(&context->state, 12);
152 
153  //The customization string Z is parsed into blocks
154  while(customLen >= 8)
155  {
156  //Update the state with Zi
157  context->state.x[0] ^= LOAD32LE(custom);
158  context->state.x[1] ^= LOAD32LE(custom + 4);
159 
160  //Apply Ascon-p[12] permutation
161  asconP(&context->state, 12);
162 
163  //Next block
164  custom += 8;
165  customLen -= 8;
166  }
167 
168  //Partial block Zm~ is padded to a full block Zm
169  osMemset(context->buffer, 0, 8);
170  osMemcpy(context->buffer, custom, customLen);
171  context->buffer[customLen] = 0x01;
172 
173  //Update the state with Zm
174  context->state.x[0] ^= LOAD32LE(context->buffer);
175  context->state.x[1] ^= LOAD32LE(context->buffer + 4);
176 
177  //Apply Ascon-p[12] permutation
178  asconP(&context->state, 12);
179 
180  //Number of bytes in the buffer
181  context->length = 0;
182 
183  //Successful initialization
184  return NO_ERROR;
185 }
186 
187 
188 /**
189  * @brief Absorb data
190  * @param[in] context Pointer to the Ascon-CXOF128 context
191  * @param[in] input Pointer to the buffer being hashed
192  * @param[in] length Length of the buffer
193  **/
194 
195 void asconCxof128Absorb(AsconCxof128Context *context, const void *input,
196  size_t length)
197 {
198  size_t n;
199 
200  //Process the incoming data
201  while(length > 0)
202  {
203  //The buffer can hold at most 8 bytes
204  n = MIN(length, 8 - context->length);
205 
206  //Copy the data to the buffer
207  osMemcpy(context->buffer + context->length, input, n);
208  //Adjust the length of the buffer
209  context->length += n;
210 
211  //Advance the data pointer
212  input = (uint8_t *) input + n;
213  //Remaining bytes to process
214  length -= n;
215 
216  //The message is partitioned into 64-bit blocks
217  if(context->length == 8)
218  {
219  //Each message block Mi is XORed with the state
220  context->state.x[0] ^= LOAD32LE(context->buffer);
221  context->state.x[1] ^= LOAD32LE(context->buffer + 4);
222 
223  //For all message blocks except the final block Mn,the XOR operation
224  //is immediately followed by applying Ascon-p[12] to the state
225  asconP(&context->state, 12);
226 
227  //The input buffer is empty
228  context->length = 0;
229  }
230  }
231 }
232 
233 
234 /**
235  * @brief Finish absorbing phase
236  * @param[in] context Pointer to the Ascon-CXOF128 context
237  **/
238 
239 void asconCxof128Final(AsconCxof128Context *context)
240 {
241  size_t i;
242 
243  //Get the length of the partial block Mn~
244  i = context->length;
245 
246  //Appends a one followed by one or more zeroes to data
247  context->buffer[i++] = 0x01;
248 
249  //Partial block Mn~ is padded to a full block Mn
250  while(i < 8)
251  {
252  context->buffer[i++] = 0;
253  }
254 
255  //The final block Mn is XORed with the state
256  context->state.x[0] ^= LOAD32LE(context->buffer);
257  context->state.x[1] ^= LOAD32LE(context->buffer + 4);
258 
259  //The squeezing phase begins with an application of Ascon-p[12] to the state
260  asconP(&context->state, 12);
261 
262  //The value of S[0:63] is then taken as hash block H0
263  STORE32LE(context->state.x[0], context->buffer);
264  STORE32LE(context->state.x[1], context->buffer + 4);
265 
266  //Number of bytes available in the output buffer
267  context->length = 8;
268 }
269 
270 
271 /**
272  * @brief Extract data from the squeezing phase
273  * @param[in] context Pointer to the Ascon-CXOF128 context
274  * @param[out] output Output string
275  * @param[in] length Desired output length, in bytes
276  **/
277 
278 void asconCxof128Squeeze(AsconCxof128Context *context, uint8_t *output,
279  size_t length)
280 {
281  size_t n;
282 
283  //An arbitrary number of output bits can be squeezed out of the state
284  while(length > 0)
285  {
286  //Check whether more data is required
287  if(context->length == 0)
288  {
289  //Apply Ascon-p[12] permutation
290  asconP(&context->state, 12);
291 
292  //The value of S[0:63] is then taken as hash block H0
293  STORE32LE(context->state.x[0], context->buffer);
294  STORE32LE(context->state.x[1], context->buffer + 4);
295 
296  //Number of bytes available in the output buffer
297  context->length = 8;
298  }
299 
300  //Compute the number of bytes to process at a time
301  n = MIN(length, context->length);
302 
303  //Copy the output string
304  if(output != NULL)
305  {
306  osMemcpy(output, context->buffer + 8 - context->length, n);
307  }
308 
309  //Number of bytes available in the output buffer
310  context->length -= n;
311 
312  //Advance the data pointer
313  output = (uint8_t *) output + n;
314  //Number of bytes that remains to be written
315  length -= n;
316  }
317 }
318 
319 #endif
STORE32LE
#define STORE32LE(a, p)
Definition: cpu_endian.h:279
ERROR_OUT_OF_MEMORY
@ ERROR_OUT_OF_MEMORY
Definition: error.h:63
ascon_cxof128.h
Ascon-CXOF128 customizable extendable-output function.
ERROR_INVALID_PARAMETER
@ ERROR_INVALID_PARAMETER
Invalid parameter.
Definition: error.h:47
osMemcpy
#define osMemcpy(dest, src, length)
Definition: os_port.h:144
error_t
error_t
Error codes.
Definition: error.h:43
AsconState::x
uint32_t x[10]
Definition: ascon.h:49
asconCxof128Init
error_t asconCxof128Init(AsconCxof128Context *context, const char_t *custom, size_t customLen)
Initialize Ascon-CXOF128 context.
Definition: ascon_cxof128.c:116
AsconCxof128Context
Ascon-CXOF128 algorithm context.
Definition: ascon_cxof128.h:49
ERROR_INVALID_LENGTH
@ ERROR_INVALID_LENGTH
Definition: error.h:111
crypto.h
General definitions for cryptographic algorithms.
asconCxof128Final
void asconCxof128Final(AsconCxof128Context *context)
Finish absorbing phase.
Definition: ascon_cxof128.c:239
length
uint8_t length
Definition: tcp.h:375
MIN
#define MIN(a, b)
Definition: os_port.h:63
char_t
char char_t
Definition: compiler_port.h:55
n
uint8_t n
Definition: dhcpv6_common.h:416
STORE64LE
#define STORE64LE(a, p)
Definition: cpu_endian.h:311
asconCxof128Compute
error_t asconCxof128Compute(const void *input, size_t inputLen, const char_t *custom, size_t customLen, uint8_t *output, size_t outputLen)
Digest a message using Ascon-CXOF128.
Definition: ascon_cxof128.c:59
cryptoFreeMem
#define cryptoFreeMem(p)
Definition: crypto.h:826
cryptoAllocMem
#define cryptoAllocMem(size)
Definition: crypto.h:821
asconCxof128Squeeze
void asconCxof128Squeeze(AsconCxof128Context *context, uint8_t *output, size_t length)
Extract data from the squeezing phase.
Definition: ascon_cxof128.c:278
asconCxof128Absorb
void asconCxof128Absorb(AsconCxof128Context *context, const void *input, size_t length)
Absorb data.
Definition: ascon_cxof128.c:195
LOAD32LE
#define LOAD32LE(p)
Definition: cpu_endian.h:203
osMemset
#define osMemset(p, value, length)
Definition: os_port.h:138
NO_ERROR
@ NO_ERROR
Success.
Definition: error.h:44
asconP
void asconP(AsconState *s, uint_t nr)
Ascon-p[rnd] permutation.
Definition: ascon.c:63