Add Internal SHAKE interfaces and their NIST test vectors.

[manastasova]

Issues:

CryptoAlg-1171

Add SHAKE128 and SHAKE256 internal interface support for later use in the PQ protocols. Add NIST test vector checks.

Description of changes:

Add SHAKE128 and SHAKE256 support. Test the correctness through SHAKE128Test.NISTTestVectors andSHAKE256Test.NISTTestVectors added from NIST Test Vectors for SHAKE https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/secure-hashing.

Detailed description of the applied changes is presented in CryptoAlg-1171?selectedConversation=3abf0a8b-88db-4e0e-b124-9dfc8701c89b.

Testing:

Testing of the correct assembly code integration is performed by corrupting the assembly code asserting failure.

TestVectors SHAKE128
SHAKE128Test.NISTTestVectors

TestVectors SHAKE1256
SHAKE256Test.NISTTestVectors

Keep the SHA3 tests:
TestVectors SHA3-XXX
./crypto/crypto_test --gtest_filter=DigestTest.TestVectors

SpeedTest SHA3-XXX
./tool/bssl speed -filter SHA3-XXX

Exhaustive TestVectors SHA3-XXX
./crypto/crypto_test --gtest_filter=SHA3Test.NISTTestVectors
./crypto/crypto_test --gtest_filter=SHA3Test.NISTTestVectors_SingleShot

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[dkostic]

few things before we continue:

• is this value Keccak specific or SHA3/SHAKE specific? If Keccak specific then I'd prefer Keccak in the name
• is there a simpler way to define what capacity is?
• can we define capacity in the code comment before explaining what increases/decreases?

[dkostic]

Nit: digest size or output size? I think SHAKE is XOF not MD, right?

[manastasova]

True. Sorry for this mistake! Fixed.

[dkostic]

same as above

[manastasova]

Thanks.

[dkostic]

what if pad is some value that's different from both SHA3_PAD_CHAR and SHAKE_PAD_CHAR?

[manastasova]

I added return 0 case since a wrong result will be produced if not. Sorry for this.

[dkostic]

didn't we get rid of these in the SHA3 tests? Can we do it here as well?

[manastasova]

I will keep the branch updated with main. Sorry for this.

[dkostic]

Suggested change

	// In the sponge construction, the width of the underlying
	// function minus the rate (the block size in bits).
	// The |SHA3_MIN_CAPACITY_BYTES| corresponds to the
	// lowest security level capacity for SHA3/SHAKE.
	// In the sponge construction, capacity is the width of the underlying function
	// minus the rate. In case of SHA3 and SHAKE, the underlying function is Keccak
	// and the rate is the block size of a specific instantiation of SHA3 or SHAKE.
	// |SHA3_MIN_CAPACITY_BYTES| corresponds to the minimum capacity taking into
	// account all the instantiations of SHA3 and SHAKE we implement: SHA3-256,
	// SHAKE128, SHAKE256. Since the block size of SHAKE128 is the largest among
	// those, we compute the minimum capacity by subtracting SHA128 block size from
	// Keccak width.

[manastasova]

Thank you so much. I have fixed it. I added the source for the capacity definition as NIST FIPS202:
// [NIST FIPS202] Capacity: In the sponge construction,

[dkostic]

these lines seem misplaced, so I would delete them from here.

[manastasova]

I just fixed that! Sorry.

[nebeid]

Can we use std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_length]; here and in previous occurrences? Static analysis is seeing it as resource leak in the previous occurrences. I saw the unique_ptr usage in other test files.