KangarooTwelve

[MarekKnapek]

Checklist

• documentation is added or updated
• tests are added or updated

[sjaeckel]

I guess you're missing something there.

hash_state is a union, i.e. it would be valid to do the following:

struct sha3_state st;
sha3_shake_init((hash_state*)&st, 128);

https://godbolt.org/z/Wq3oaETcE

Please revert this change, I'd prefer to keep the codebase of all the algorithms similar.

[MarekKnapek]

Yes, that works, but. I need to keep the two SHAKE states inside a KT state between invocations of the init/process/done functions. And because of the union thing, the KT state would be unnecessary big. Keeping state for other hashes that we don't care about inside KT logic. Do you prefer me reverting this or changing every other algorithm to use its own state instead?

// Edit: Oh, I misunderstood. Now I get it. I will do the change you propose.

[sjaeckel]

Thanks a lot!

Very good PR :)

Thanks for updating the docs ❤️

What do you think of my suggestions?

[sjaeckel]

Could this maybe be done with the base16_decode() API?

[MarekKnapek]

Yes, fixed.

[sjaeckel]

I very much like the idea where this is going to! 👍 💯

How about:

Suggested change

	static LTC_INLINE int s_turbo_shake_test_one(int bits_count, long input_bytes_count, long skip_digest_bytes, long digest_bytes_count, int counter, char const *expected_digest_hex)
	typedef struct turbo_shake_test {
	int bits_count;
	unsigned long input_bytes_count, skip_digest_bytes, digest_bytes_count;
	const char *expected_digest_hex;
	} turbo_shake_test;
	static LTC_INLINE int s_turbo_shake_test_one(const turbo_shake_test *testcase, int counter)

[MarekKnapek]

Yes, fixed.

[sjaeckel]

The usual way in C is to use const char* as type. They're equivalent but I'd prefer to keep it like that.

[MarekKnapek]

Removed in favor of base16_decode.

[sjaeckel]

And then instead of those n calls

const turbo_shake_test testcases[] = {
   { 128, 0, 0, 32, "1e415f1c5983aff2169217277d17bb538cd945a397ddec541f1ce41af2c1b74c" },
   { 128, 0, 0, 64, "1e415f1c5983aff2169217277d17bb538cd945a397ddec541f1ce41af2c1b74c3e8ccae2a4dae56c84a04c2385c03c15e8193bdf58737363321691c05462c8df" },
   ...
};
for (counter = 0; counter < LTC_ARRAY_SIZE(testcases); counter++) {
   if ((err = s_turbo_shake_test_one(&testcases[counter], counter)) != CRYPT_OK) {
      return err;
   }
}
return CRYPT_OK;

[MarekKnapek]

Yes, fixed.

[sjaeckel]

I overlooked that at the first review.

Thanks for reverting the first commit, the changes look a lot better now.

[sjaeckel]

Suggested change

	#if defined(LTC_TURBO_SHAKE) && !defined(LTC_SHA3)
	#error LTC_TURBO_SHAKE requires LTC_SHA3
	#endif
	#if defined(LTC_KANGAROO_TWELVE) && !defined(LTC_TURBO_SHAKE)
	#error LTC_KANGAROO_TWELVE requires LTC_TURBO_SHAKE
	#endif

I already forgot that in the TurboShake PR ... we should check that our dependencies are fulfilled and highlight what's maybe missing.

[MarekKnapek]

Yes, fixed.

[sjaeckel]

Suggested change

	#define LTC_KT
	#define LTC_KANGAROO_TWELVE

Even though I'm a huge fan of short names, KT is even too short for me 😜

And the API should also be renamed accordingly please s/kt_/kangaroo_twelve_/g.

[MarekKnapek]

Yes, fixed. What about the function names?

[sjaeckel]

Yes, fixed. What about the function names?

The API should also be renamed accordingly please s/kt_/kangaroo_twelve_/g.

[MarekKnapek]

Yes, fixed.

[sjaeckel]

Can one also append customization bytes in multiple calls?

I'm just asking.

And is the result of kt_customization("foobar"); the same as of kt_customization("foo"); kt_customization("bar");?

[sjaeckel]

OK, so the RFC specifies that we MAY propose an incremental interface, for either M or C, so we should also document that somewhere what we support.

I just had a look at the RFC for the first time ... the D isn't fixed to 0x1F, maybe it'd make sense to add support for variable D in a future PR. But now we focus on KT.

[MarekKnapek]

Yes, the customization could be appended multiple times. And yes, about the foobar==foo+bar. You can append unlimited amount of customization bytes, up to unsigned long count, if you want to append more, we should change the variable type holding the number of customization bytes added. To 128 bit number or even larger one. The project https://github.com/kerukuro/digestpp is quite limited in this regard, it holds the entire customization string in memory at once. My implementation holds only the SHAKE state. They also hold a 8 kB buffer, I hold a SHAKE state instead.

[sjaeckel]

Suggested change

	int err;
	hash_state md;
	long offset;
	long rem;
	long count;
	unsigned char input[1024];
	unsigned char digest[64];
	char const *expected_hex;
	unsigned char expected_digest_bin[sizeof(digest)];
	LTC_ARGCHK(bits_count == 128 || bits_count == 256);
	LTC_ARGCHK(input_bytes_count >= 0);
	LTC_ARGCHK(skip_digest_bytes >= 0);
	LTC_ARGCHK(digest_bytes_count >= 1);
	LTC_ARGCHK(counter >= 0);
	LTC_ARGCHK(expected_digest_hex && expected_digest_hex[0] != '\0');
	if ((err = turbo_shake_init(&md, bits_count)) != CRYPT_OK) return err;
	offset = 0;
	rem = input_bytes_count;
	do
	{
	count = rem < ((long)(sizeof(input))) ? rem : ((long)(sizeof(input)));
	if ((err = s_turbo_shake_generate_ptn(&input[0], offset, count)) != CRYPT_OK) return err;
	if ((err = turbo_shake_process(&md, &input[0], count)) != CRYPT_OK) return err;
	offset += count;
	rem -= count;
	}while(rem != 0);
	rem = skip_digest_bytes;
	do
	{
	count = rem < ((long)(sizeof(digest))) ? rem : ((long)(sizeof(digest)));
	if ((err = turbo_shake_done(&md, &digest[0], count)) != CRYPT_OK) return err;
	rem -= count;
	}while(rem != 0);
	rem = digest_bytes_count;
	expected_hex = expected_digest_hex;
	do
	{
	count = rem < ((long)(sizeof(digest))) ? rem : ((long)(sizeof(digest)));
	if ((err = s_turbo_shake_hex_to_bin(&expected_hex[0], &expected_digest_bin[0], count)) != CRYPT_OK) return err;
	if ((err = turbo_shake_done(&md, &digest[0], count)) != CRYPT_OK) return err;
	LTC_COMPARE_TESTVECTOR(digest, count, expected_digest_bin, count, "TurboSHAKE", counter);
	rem -= count;
	expected_digest_hex += count * 2;
	}while(rem != 0);
	return CRYPT_OK;
	int err;
	hash_state md;
	unsigned long offset, rem, count;
	unsigned char input[1024];
	unsigned char digest[64];
	char const *expected_hex;
	unsigned char expected_digest_bin[sizeof(digest)];
	LTC_ARGCHK(bits_count == 128 || bits_count == 256);
	LTC_ARGCHK(input_bytes_count >= 0);
	LTC_ARGCHK(skip_digest_bytes >= 0);
	LTC_ARGCHK(digest_bytes_count >= 1);
	LTC_ARGCHK(counter >= 0);
	LTC_ARGCHK(expected_digest_hex && expected_digest_hex[0] != '\0');
	if ((err = turbo_shake_init(&md, bits_count)) != CRYPT_OK) return err;
	offset = 0;
	rem = input_bytes_count;
	do {
	count = rem < sizeof(input) ? rem : sizeof(input);
	if ((err = s_turbo_shake_generate_ptn(input, offset, count)) != CRYPT_OK) return err;
	if ((err = turbo_shake_process(&md, input, count)) != CRYPT_OK) return err;
	offset += count;
	rem -= count;
	} while(rem != 0);
	rem = skip_digest_bytes;
	do {
	count = rem < sizeof(digest) ? rem : sizeof(digest);
	if ((err = turbo_shake_done(&md, digest, count)) != CRYPT_OK) return err;
	rem -= count;
	} while(rem != 0);
	rem = digest_bytes_count;
	expected_hex = expected_digest_hex;
	do {
	count = rem < sizeof(digest) ? rem : sizeof(digest);
	if ((err = s_turbo_shake_hex_to_bin(expected_hex, expected_digest_bin, count)) != CRYPT_OK) return err;
	if ((err = turbo_shake_done(&md, digest, count)) != CRYPT_OK) return err;
	LTC_COMPARE_TESTVECTOR(digest, count, expected_digest_bin, count, "TurboSHAKE", counter);
	rem -= count;
	expected_digest_hex += count * 2;
	} while(rem != 0);
	return CRYPT_OK;

Three more things I just saw, which I also missed in the first two reviews 😬 (I should focus more, but it's a lot of changes, so it's hard to do that while also doing my regular work).

1. we usually use the nearest correct type, so for sizes it should be unsigned long most of the time. (The correct type would be size_t, but that move didn't happen yet...)
2. we try to use the implicit meaning of statements. If you use &foo[0] in an API call, where foo is an array of something and the API expects a pointer, simply use foo there. Keep the usage of &foo[n] for the cases where you explicitly index into the array. It makes reading the code easier.
3. Try to mimick the code style used in the recent changes. I know, we should have an auto-formatter, but that's something for the future.

[MarekKnapek]

Yes, fixed.