- 7503D06B8F87F1CD8A4246A7BAF27BA9431646E65F07FEA64173F24852BE71DC493C3E866D5C16F6723F80C6E6ED1479A46FAC9DEA5FDF02B0387724BDB99E08+ 61F4B1AF5F2E4E92139B90F8BBA051A5C52AF6E07D8563EED9ABD841A4415BFE1FA8F73BA2A421F6D0557E136A8BAEFB17DD3C2C3C7E82F210CE0187455AB37Aeucrypt/smg_keccak/smg_keccak.ads(3 . 7)(3 . 13)
260 -- (Based on The Keccak Reference, Version 3.0, January 14, 2011, by
261 -- Guido Bertoni, Joan Daemen, Michael Peeters and Gilles Van Assche)
262
263 -- NB: this is a byte-level (octet) implementation!
264 -- Input/output are always multiple of octets, NOT bits.
265
266 -- S.MG, 2018
267 with Ada.Unchecked_Conversion; --for byteword to zword
268 with Interfaces.C;
269 with Interfaces;
270
271 package SMG_Keccak is
272 pragma Pure(SMG_Keccak); --stateless, no side effects -> can cache calls
(13 . 7)(19 . 7)
274 --therefore keccak function 1600 with current
275 --constants (5*5*2^6)
276
277 Default_Bitrate: constant := 1344; --max bits the sponge can eat/spit without
278 Default_Byterate: constant := 168;--max octets the sponge can eat/spit without
279 --needing to scramble the state
280
281 --constants: dimensions of keccak state and number of rounds
(33 . 47)(39 . 85)
283
284 type Round_Constants is array(Round_Index) of ZWord; --magic keccak constants
285
286 -- rate can be chosen by caller at each call, between 1 and width of state
287 -- higher rate means sponge "eats" more bits at a time but has fewer bits in
288 -- the "secret" part of the state (i.e. lower capacity)
289 subtype Keccak_Rate is Positive range 1..Width; -- capacity = width - rate
290
291 type Bit is mod 2;
292 type Bitstream is array( Natural range <> ) of Bit; -- any length; message
293 subtype Bitword is Bitstream( 0..Z_Length - 1 ); -- bits of one state "word"
294 -- rate can be chosen by caller at each call, between 1 and width of state /8
295 -- higher rate means sponge "eats" more octets at a time but has fewer octets
296 -- in the "secret" part of the state (i.e. lower capacity)
297 subtype Keccak_Rate is Positive range 1..Width/8; -- capacity = width - rate
298
299 type Bytestream is array( Natural range <> ) of Interfaces.Unsigned_8;
300 subtype Byteword is Bytestream( 0..Z_Length/8-1); --octets of one state "word"
301 function Cast is new Ada.Unchecked_Conversion (Byteword, ZWord);
302 function Cast is new Ada.Unchecked_Conversion (ZWord, Byteword);
303
304 -- type conversions
305 function BitsToWord( BWord : in Bitword ) return ZWord;
306 function WordToBits( Word : in ZWord ) return Bitword;
307 -- NB: those are NOT perfect opposites!
308 -- BytesToWord assumes input is raw and in LSB order, will flip on MSB iron
309 -- WordToBytes assumes input is MSB and will flip on LSB
310 -- This is because the Sponge squeezes MSB but absorbs LSB...
311 function BytesToWordLE( BWord : in Byteword ) return ZWord;
312 function WordToBytesBE( Word : in ZWord ) return Byteword;
313
314 -- flip input octets (i.e. groups of 8 bits)
315 function FlipOctets( BWord : in Bitword ) return Bitword;
316 function FlipOctets( BWord : in Byteword ) return Byteword;
317
318 -- public function, the sponge itself
319 -- Keccak sponge structure using Keccak_Function, Pad and a given bitrate;
320 -- Keccak sponge structure using Keccak_Function, Pad and a given octetrate;
321 -- Input - the stream of bits to hash (the message)
322 -- Output - a bitstream of desired size for holding output
323 -- Block_Len - the bitrate to use; this is effectively the block length
324 -- Output - a bytestream of desired size for holding output
325 -- Block_Len - the octetrate to use; this is effectively the block length
326 -- for splitting Input AND squeezing output between scrambles
327 procedure Sponge(Input : in Bitstream;
328 Output : out Bitstream;
329 Block_Len : in Keccak_Rate := Default_Bitrate );
330
331 procedure Sponge(Input : in Bytestream;
332 Output : out Bytestream;
333 Block_Len : in Keccak_Rate := Default_Byterate );
334
335 Reverse_Table : constant array(0..255) of Interfaces.Unsigned_8 := (
336 16#00#, 16#80#, 16#40#, 16#C0#, 16#20#, 16#A0#, 16#60#, 16#E0#,
337 16#10#, 16#90#, 16#50#, 16#D0#, 16#30#, 16#B0#, 16#70#, 16#F0#,
338 16#08#, 16#88#, 16#48#, 16#C8#, 16#28#, 16#A8#, 16#68#, 16#E8#,
339 16#18#, 16#98#, 16#58#, 16#D8#, 16#38#, 16#B8#, 16#78#, 16#F8#,
340 16#04#, 16#84#, 16#44#, 16#C4#, 16#24#, 16#A4#, 16#64#, 16#E4#,
341 16#14#, 16#94#, 16#54#, 16#D4#, 16#34#, 16#B4#, 16#74#, 16#F4#,
342 16#0C#, 16#8C#, 16#4C#, 16#CC#, 16#2C#, 16#AC#, 16#6C#, 16#EC#,
343 16#1C#, 16#9C#, 16#5C#, 16#DC#, 16#3C#, 16#BC#, 16#7C#, 16#FC#,
344 16#02#, 16#82#, 16#42#, 16#C2#, 16#22#, 16#A2#, 16#62#, 16#E2#,
345 16#12#, 16#92#, 16#52#, 16#D2#, 16#32#, 16#B2#, 16#72#, 16#F2#,
346 16#0A#, 16#8A#, 16#4A#, 16#CA#, 16#2A#, 16#AA#, 16#6A#, 16#EA#,
347 16#1A#, 16#9A#, 16#5A#, 16#DA#, 16#3A#, 16#BA#, 16#7A#, 16#FA#,
348 16#06#, 16#86#, 16#46#, 16#C6#, 16#26#, 16#A6#, 16#66#, 16#E6#,
349 16#16#, 16#96#, 16#56#, 16#D6#, 16#36#, 16#B6#, 16#76#, 16#F6#,
350 16#0E#, 16#8E#, 16#4E#, 16#CE#, 16#2E#, 16#AE#, 16#6E#, 16#EE#,
351 16#1E#, 16#9E#, 16#5E#, 16#DE#, 16#3E#, 16#BE#, 16#7E#, 16#FE#,
352 16#01#, 16#81#, 16#41#, 16#C1#, 16#21#, 16#A1#, 16#61#, 16#E1#,
353 16#11#, 16#91#, 16#51#, 16#D1#, 16#31#, 16#B1#, 16#71#, 16#F1#,
354 16#09#, 16#89#, 16#49#, 16#C9#, 16#29#, 16#A9#, 16#69#, 16#E9#,
355 16#19#, 16#99#, 16#59#, 16#D9#, 16#39#, 16#B9#, 16#79#, 16#F9#,
356 16#05#, 16#85#, 16#45#, 16#C5#, 16#25#, 16#A5#, 16#65#, 16#E5#,
357 16#15#, 16#95#, 16#55#, 16#D5#, 16#35#, 16#B5#, 16#75#, 16#F5#,
358 16#0D#, 16#8D#, 16#4D#, 16#CD#, 16#2D#, 16#AD#, 16#6D#, 16#ED#,
359 16#1D#, 16#9D#, 16#5D#, 16#DD#, 16#3D#, 16#BD#, 16#7D#, 16#FD#,
360 16#03#, 16#83#, 16#43#, 16#C3#, 16#23#, 16#A3#, 16#63#, 16#E3#,
361 16#13#, 16#93#, 16#53#, 16#D3#, 16#33#, 16#B3#, 16#73#, 16#F3#,
362 16#0B#, 16#8B#, 16#4B#, 16#CB#, 16#2B#, 16#AB#, 16#6B#, 16#EB#,
363 16#1B#, 16#9B#, 16#5B#, 16#DB#, 16#3B#, 16#BB#, 16#7B#, 16#FB#,
364 16#07#, 16#87#, 16#47#, 16#C7#, 16#27#, 16#A7#, 16#67#, 16#E7#,
365 16#17#, 16#97#, 16#57#, 16#D7#, 16#37#, 16#B7#, 16#77#, 16#F7#,
366 16#0F#, 16#8F#, 16#4F#, 16#CF#, 16#2F#, 16#AF#, 16#6F#, 16#EF#,
367 16#1F#, 16#9F#, 16#5F#, 16#DF#, 16#3F#, 16#BF#, 16#7F#, 16#FF#);
368 private
369 -- these are internals of the keccak implementation, not meant to be directly
370 -- accessed/used
371
372 -- this will squeeze Block'Length bits out of state S
373 -- this will squeeze Block'Length octets out of state S
374 -- NO scramble of state in here!
375 -- NB: make SURE that Block'Length is the correct bitrate for this sponge
376 -- in particular, Block'Length should be a correct bitrate aka LESS than Width
377 procedure SqueezeBlock( Block: out Bitstream; S: in State);
378 -- NB: make SURE that Block'Length is the correct octetrate for this sponge
379 -- esp: Block'Length should be a correct octetrate aka LESS than Width/8
380 procedure SqueezeBlock( Block: out Bytestream; S: in State);
381
382 -- This absorbs into sponge the given block, modifying the state accordingly
383 -- NO scramble of state in here so make sure the whole Block fits in state!
384 -- NB: make SURE that Block'Length is *the correct bitrate* for this sponge
385 -- in particular, Block'Length should be a correct bitrate aka LESS than Width
386 procedure AbsorbBlock( Block: in Bitstream; S: in out State );
387 -- NB: make SURE that Block'Length is *the correct byterate* for this sponge
388 -- esp: Block'Length should be a correct byterate aka LESS than Width
389 procedure AbsorbBlock( Block: in Bytestream; S: in out State );
390
391 --Keccak magic numbers
392 RC : constant Round_Constants :=