Rename Absorb and Squeeze functions to Keccak1600_ layer specific

Clean redefinition of SHAKE blocksize/rate macros; Update their use inside MLKEM and MLDSA.

Author: manastasova

crypto/dilithium/pqcrystals_dilithium_ref_common/params.h

@@ -41,7 +41,7 @@ typedef struct {
 #define ML_DSA_L_MAX (7)
 #define ML_DSA_C_TILDE_BYTES_MAX (64)
 #define ML_DSA_POLYW1_PACKEDBYTES_MAX (192)
-#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_RATE - 1)/SHAKE256_RATE)
+#define ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX ((227 + SHAKE256_BLOCKSIZE - 1)/SHAKE256_BLOCKSIZE)
 #define ML_DSA_POLYZ_PACKEDBYTES_MAX (576)
 
 void ml_dsa_44_params_init(ml_dsa_params *params);

crypto/dilithium/pqcrystals_dilithium_ref_common/poly.c

@@ -301,14 +301,14 @@ static unsigned int ml_dsa_rej_uniform(int32_t *a,
 *              - const uint8_t seed[]: byte array with seed of length SEEDBYTES
 *              - uint16_t nonce: 2-byte nonce
 **************************************************/
-#define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_RATE - 1)/ SHAKE128_RATE)
+#define POLY_UNIFORM_NBLOCKS ((768 + SHAKE128_BLOCKSIZE - 1)/ SHAKE128_BLOCKSIZE)
 void ml_dsa_poly_uniform(ml_dsa_poly *a,
                   const uint8_t seed[ML_DSA_SEEDBYTES],
                   uint16_t nonce)
 {
   unsigned int i, ctr, off;
-  unsigned int buflen = POLY_UNIFORM_NBLOCKS*SHAKE128_RATE;
-  uint8_t buf[POLY_UNIFORM_NBLOCKS*SHAKE128_RATE + 2];
+  unsigned int buflen = POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE;
+  uint8_t buf[POLY_UNIFORM_NBLOCKS*SHAKE128_BLOCKSIZE + 2];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
@@ -328,7 +328,7 @@ void ml_dsa_poly_uniform(ml_dsa_poly *a,
       buf[i] = buf[buflen - off + i];
 
     SHAKE_Final(buf + off, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
-    buflen = SHAKE128_RATE + off;
+    buflen = SHAKE128_BLOCKSIZE + off;
     ctr += ml_dsa_rej_uniform(a->coeffs + ctr, ML_DSA_N - ctr, buf, buflen);
   }
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
@@ -409,8 +409,8 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
                       uint16_t nonce)
 {
   unsigned int ctr;
-  unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE;
-  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_RATE];
+  unsigned int buflen = ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE;
+  uint8_t buf[ML_DSA_POLY_UNIFORM_ETA_NBLOCKS_MAX * SHAKE256_BLOCKSIZE];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
@@ -426,7 +426,7 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
 
   while(ctr < ML_DSA_N) {
     SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE);
-    ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_RATE);
+    ctr += rej_eta(params, a->coeffs + ctr, ML_DSA_N - ctr, buf, SHAKE256_BLOCKSIZE);
   }
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(buf, sizeof(buf));
@@ -445,13 +445,13 @@ void ml_dsa_poly_uniform_eta(ml_dsa_params *params,
 *              - const uint8_t seed[]: byte array with seed of length CRHBYTES
 *              - uint16_t nonce: 16-bit nonce
 **************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_RATE - 1) / SHAKE256_RATE)
+#define POLY_UNIFORM_GAMMA1_NBLOCKS ((ML_DSA_POLYZ_PACKEDBYTES_MAX + SHAKE256_BLOCKSIZE - 1) / SHAKE256_BLOCKSIZE)
 void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params,
                                 ml_dsa_poly *a,
                                 const uint8_t seed[ML_DSA_CRHBYTES],
                                 uint16_t nonce)
 {
-  uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_RATE];
+  uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * SHAKE256_BLOCKSIZE];
   KECCAK1600_CTX state;
 
   uint8_t t[2];
@@ -483,7 +483,7 @@ void ml_dsa_poly_uniform_gamma1(ml_dsa_params *params,
 void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t *seed) {
   unsigned int i, b, pos;
   uint64_t signs;
-  uint8_t buf[SHAKE256_RATE];
+  uint8_t buf[SHAKE256_BLOCKSIZE];
   KECCAK1600_CTX state;
 
   SHAKE_Init(&state, SHAKE256_BLOCKSIZE);
@@ -501,7 +501,7 @@ void ml_dsa_poly_challenge(ml_dsa_params *params, ml_dsa_poly *c, const uint8_t
   }
   for(i = ML_DSA_N-params->tau; i < ML_DSA_N; ++i) {
     do {
-      if(pos >= SHAKE256_RATE) {
+      if(pos >= SHAKE256_BLOCKSIZE) {
         SHAKE_Final(buf, &state, SHAKE256_BLOCKSIZE);
         pos = 0;
       }

crypto/fipsmodule/ml_kem/ml_kem_ref/symmetric-shake.c

@@ -37,7 +37,7 @@ void kyber_shake128_absorb(KECCAK1600_CTX *ctx,
 * Name:        kyber_shake128_squeeze
 *
 * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
-*              SHAKE128_RATE bytes each. Can be called multiple times
+*              SHAKE128_BLOCKSIZE bytes each. Can be called multiple times
 *              to keep squeezing. Assumes new block has not yet been
 *              started.
 *

crypto/fipsmodule/sha/asm/keccak1600-armv8.pl

@@ -343,10 +343,10 @@
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
 .size	KeccakF1600,.-KeccakF1600
-.globl	SHA3_Absorb_hw
-.type	SHA3_Absorb_hw,%function
+.globl	Keccak1600_Absorb_hw
+.type	Keccak1600_Absorb_hw,%function
 .align	5
-SHA3_Absorb_hw:
+Keccak1600_Absorb_hw:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-128]!
 	add	x29,sp,#0
@@ -438,15 +438,15 @@
 	ldp	x29,x30,[sp],#128
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Absorb_hw,.-SHA3_Absorb_hw
+.size	Keccak1600_Absorb_hw,.-Keccak1600_Absorb_hw
 ___
 {
 my ($A_flat,$out,$len,$bsz) = map("x$_",(19..22));
 $code.=<<___;
-.globl	SHA3_Squeeze_hw
-.type	SHA3_Squeeze_hw,%function
+.globl	Keccak1600_Squeeze_hw
+.type	Keccak1600_Squeeze_hw,%function
 .align	5
-SHA3_Squeeze_hw:
+Keccak1600_Squeeze_hw:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-48]!
 	add	x29,sp,#0
@@ -512,7 +512,7 @@
 	ldp	x29,x30,[sp],#48
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Squeeze_hw,.-SHA3_Squeeze_hw
+.size	Keccak1600_Squeeze_hw,.-Keccak1600_Squeeze_hw
 ___
 }								}}}
 								{{{
@@ -650,10 +650,10 @@
 my ($ctx,$inp,$len,$bsz) = map("x$_",(0..3));
 
 $code.=<<___;
-.globl	SHA3_Absorb_cext
-.type	SHA3_Absorb_cext,%function
+.globl	Keccak1600_Absorb_cext
+.type	Keccak1600_Absorb_cext,%function
 .align	5
-SHA3_Absorb_cext:
+Keccak1600_Absorb_cext:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-80]!
 	add	x29,sp,#0
@@ -722,16 +722,16 @@
 	ldp	x29,x30,[sp],#80
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Absorb_cext,.-SHA3_Absorb_cext
+.size	Keccak1600_Absorb_cext,.-Keccak1600_Absorb_cext
 ___
 }
 {
 my ($ctx,$out,$len,$bsz) = map("x$_",(0..3));
 $code.=<<___;
-.globl	SHA3_Squeeze_cext
-.type	SHA3_Squeeze_cext,%function
+.globl	Keccak1600_Squeeze_cext
+.type	Keccak1600_Squeeze_cext,%function
 .align	5
-SHA3_Squeeze_cext:
+Keccak1600_Squeeze_cext:
 	AARCH64_SIGN_LINK_REGISTER
 	stp	x29,x30,[sp,#-16]!
 	add	x29,sp,#0
@@ -787,7 +787,7 @@
 	ldr	x29,[sp],#16
 	AARCH64_VALIDATE_LINK_REGISTER
 	ret
-.size	SHA3_Squeeze_cext,.-SHA3_Squeeze_cext
+.size	Keccak1600_Squeeze_cext,.-Keccak1600_Squeeze_cext
 ___
 }								}}}
 $code.=<<___;

crypto/fipsmodule/sha/internal.h

@@ -39,7 +39,7 @@ extern "C" {
 
 // SHA3 constants, from NIST FIPS202.
 // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
-#define SHA3_ROWS 5
+#define KECCAK1600_ROWS 5
 #define KECCAK1600_WIDTH 1600
 
 #define SHA3_224_CAPACITY_BYTES 56
@@ -64,11 +64,9 @@ extern "C" {
 // SHAKE constants, from NIST FIPS202.
 // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
 #define SHAKE_PAD_CHAR 0x1F
-#define SHAKE128_BLOCKSIZE (KECCAK1600_WIDTH - 128 * 2) / 8
-#define SHAKE256_BLOCKSIZE (KECCAK1600_WIDTH - 256 * 2) / 8
-#define SHAKE128_RATE 168
-#define SHAKE256_RATE 136
-#define XOF_BLOCKBYTES SHAKE128_RATE
+#define SHAKE128_BLOCKSIZE ((KECCAK1600_WIDTH - 128 * 2) / 8)
+#define SHAKE256_BLOCKSIZE ((KECCAK1600_WIDTH - 256 * 2) / 8)
+#define XOF_BLOCKBYTES SHAKE128_BLOCKSIZE
 
 // SHAKE128 has the maximum block size among the SHA3/SHAKE algorithms.
 #define SHA3_MAX_BLOCKSIZE SHAKE128_BLOCKSIZE
@@ -78,7 +76,7 @@ typedef struct keccak_st KECCAK1600_CTX;
 // The data buffer should have at least the maximum number of
 // block size bytes to fit any SHA3/SHAKE block length.
 struct keccak_st {
-  uint64_t A[SHA3_ROWS][SHA3_ROWS];
+  uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS];
   size_t block_size;                               // cached ctx->digest->block_size
   size_t md_size;                                  // output length, variable in XOF (SHAKE)
   size_t buf_load;                                 // used bytes in below buffer
@@ -400,41 +398,41 @@ OPENSSL_EXPORT uint8_t *SHAKE256(const uint8_t *data, const size_t in_len,
 
 // SHAKE_Init initializes |ctx| with specified |block_size|, returns 1 on
 // success and 0 on failure. Calls SHA3_Init under the hood.
-OPENSSL_EXPORT int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size);
+int SHAKE_Init(KECCAK1600_CTX *ctx, size_t block_size);
 
 // SHAKE_Final writes |len| bytes of finalized digest to |md|, returns 1 on
 // success and 0 on failure. Calls SHA3_Final under the hood.
-OPENSSL_EXPORT int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len);
+int SHAKE_Final(uint8_t *md, KECCAK1600_CTX *ctx, size_t len);
 
 // SHA3_Reset zeros the bitstate and the amount of processed input.
-OPENSSL_EXPORT void SHA3_Reset(KECCAK1600_CTX *ctx);
+void SHA3_Reset(KECCAK1600_CTX *ctx);
 
 // SHA3_Init initialises |ctx| fields and returns 1 on success and 0 on failure.
 OPENSSL_EXPORT int SHA3_Init(KECCAK1600_CTX *ctx, uint8_t pad,
                              size_t bitlen);
 
 // SHA3_Update processes all data blocks that don't need pad through
-// |SHA3_Absorb| and returns 1 and 0 on failure.
-OPENSSL_EXPORT int SHA3_Update(KECCAK1600_CTX *ctx, const void *data,
+// |Keccak1600_Absorb| and returns 1 and 0 on failure.
+int SHA3_Update(KECCAK1600_CTX *ctx, const void *data,
                                size_t len);
 
-// SHA3_Final pads the last data block and processes it through |SHA3_Absorb|.
-// It processes the data through |SHA3_Squeeze| and returns 1 and 0 on failure.
-OPENSSL_EXPORT int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx);
+// SHA3_Final pads the last data block and processes it through |Keccak1600_Absorb|.
+// It processes the data through |Keccak1600_Squeeze| and returns 1 and 0 on failure.
+int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx);
 
-// SHA3_Absorb processes the largest multiple of |r| out of |len| bytes and
+// Keccak1600_Absorb processes the largest multiple of |r| out of |len| bytes and
 // returns the remaining number of bytes.
-OPENSSL_EXPORT size_t SHA3_Absorb(uint64_t A[SHA3_ROWS][SHA3_ROWS],
+size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS],
                                   const uint8_t *data, size_t len, size_t r);
 
-// SHA3_Squeeze generates |out| value of |len| bytes (per call). It can be called
+// Keccak1600_Squeeze generates |out| value of |len| bytes (per call). It can be called
 // multiple times when used as eXtendable Output Function. |padded| indicates
-// whether it is the first call to SHA3_Squeeze; i.e., if the current block has
-// been already processed and padded right after the last call to SHA3_Absorb.
+// whether it is the first call to Keccak1600_Squeeze; i.e., if the current block has
+// been already processed and padded right after the last call to Keccak1600_Absorb.
 // Squeezes full blocks of |r| bytes each. When performing multiple squeezes, any
 // left over bytes from previous squeezes are not consumed, and |len| must be a
 // multiple of the block size (except on the final squeeze).
-OPENSSL_EXPORT void SHA3_Squeeze(uint64_t A[SHA3_ROWS][SHA3_ROWS],
+OPENSSL_EXPORT void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS],
                                  uint8_t *out, size_t len, size_t r, int padded);
 
 #if defined(__cplusplus)

crypto/fipsmodule/sha/keccak1600.c

@@ -23,7 +23,7 @@
 
 #if !defined(KECCAK1600_ASM)
 
-static const uint8_t rhotates[SHA3_ROWS][SHA3_ROWS] = {
+static const uint8_t rhotates[KECCAK1600_ROWS][KECCAK1600_ROWS] = {
     {  0,  1, 62, 28, 27 },
     { 36, 44,  6, 55, 20 },
     {  3, 10, 43, 25, 39 },
@@ -103,9 +103,9 @@ static uint64_t ROL64(uint64_t val, int offset)
  // it with actual data (see round loop below). 
  // It ensures best compiler interpretation to assembly and provides best 
  // instruction per processed byte ratio at minimal round unroll factor.
-static void Round(uint64_t R[SHA3_ROWS][SHA3_ROWS], uint64_t A[SHA3_ROWS][SHA3_ROWS], size_t i)
+static void Round(uint64_t R[KECCAK1600_ROWS][KECCAK1600_ROWS], uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], size_t i)
 {
-    uint64_t C[SHA3_ROWS], D[SHA3_ROWS];
+    uint64_t C[KECCAK1600_ROWS], D[KECCAK1600_ROWS];
 
     assert(i < (sizeof(iotas) / sizeof(iotas[0])));
 
@@ -222,9 +222,9 @@ static void Round(uint64_t R[SHA3_ROWS][SHA3_ROWS], uint64_t A[SHA3_ROWS][SHA3_R
 #endif
 }
 
-static void KeccakF1600(uint64_t A[SHA3_ROWS][SHA3_ROWS])
+static void KeccakF1600(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS])
 {
-    uint64_t T[SHA3_ROWS][SHA3_ROWS];
+    uint64_t T[KECCAK1600_ROWS][KECCAK1600_ROWS];
     size_t i;
 
 #ifdef KECCAK_COMPLEMENTING_TRANSFORM
@@ -323,15 +323,15 @@ static uint64_t BitDeinterleave(uint64_t Ai)
     return Ai;
 }
 
- // SHA3_Absorb can be called multiple times; at each invocation the
+ // Keccak1600_Absorb can be called multiple times; at each invocation the
  // largest multiple of |r| out of |len| bytes are processed. The
  // remaining amount of bytes is returned. This is done to spare caller
  // trouble of calculating the largest multiple of |r|. |r| can be viewed
  // as blocksize. It is commonly (1600 - 256*n)/8, e.g. 168, 136, 104,
  // 72, but can also be (1600 - 448)/8 = 144. All this means that message
  // padding and intermediate sub-block buffering, byte- or bitwise, is
  // caller's responsibility.
-size_t SHA3_Absorb(uint64_t A[SHA3_ROWS][SHA3_ROWS], const uint8_t *inp, size_t len,
+size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len,
                    size_t r)
 {
     uint64_t *A_flat = (uint64_t *)A;
@@ -356,8 +356,8 @@ size_t SHA3_Absorb(uint64_t A[SHA3_ROWS][SHA3_ROWS], const uint8_t *inp, size_t
     return len;
 }
 
-void SHA3_Squeeze(uint64_t A[SHA3_ROWS][SHA3_ROWS], uint8_t *out, size_t len, size_t r, int padded)
-// SHA3_Squeeze can be called multiple times to incrementally 
+void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *out, size_t len, size_t r, int padded)
+// Keccak1600_Squeeze can be called multiple times to incrementally 
 {
     uint64_t *A_flat = (uint64_t *)A;
     size_t i, w = r / 8;
@@ -396,19 +396,19 @@ void SHA3_Squeeze(uint64_t A[SHA3_ROWS][SHA3_ROWS], uint8_t *out, size_t len, si
 
 #else
 
-size_t SHA3_Absorb_hw(uint64_t A[SHA3_ROWS][SHA3_ROWS], const uint8_t *inp, size_t len,
+size_t Keccak1600_Absorb_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len,
                        size_t r);
 
-size_t SHA3_Absorb(uint64_t A[SHA3_ROWS][SHA3_ROWS], const uint8_t *inp, size_t len,
+size_t Keccak1600_Absorb(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *inp, size_t len,
                    size_t r) {
-    return SHA3_Absorb_hw(A, inp, len, r);
+    return Keccak1600_Absorb_hw(A, inp, len, r);
 }
 
-size_t SHA3_Squeeze_hw(uint64_t A[SHA3_ROWS][SHA3_ROWS], const uint8_t *out, size_t len,
+size_t Keccak1600_Squeeze_hw(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], const uint8_t *out, size_t len,
                         size_t r, int padded);
 
-void SHA3_Squeeze(uint64_t A[SHA3_ROWS][SHA3_ROWS], uint8_t *out, size_t len, size_t r, int padded) {
-    SHA3_Squeeze_hw(A, out, len, r, padded);
+void Keccak1600_Squeeze(uint64_t A[KECCAK1600_ROWS][KECCAK1600_ROWS], uint8_t *out, size_t len, size_t r, int padded) {
+    Keccak1600_Squeeze_hw(A, out, len, r, padded);
 }
 
 #endif // !KECCAK1600_ASM

crypto/fipsmodule/sha/sha3.c

@@ -180,15 +180,15 @@ int SHA3_Update(KECCAK1600_CTX *ctx, const void *data, size_t len) {
      // leaving the rest for later processing.
     memcpy(ctx->buf + num, data_ptr_copy, rem);
     data_ptr_copy += rem, len -= rem;
-    if (SHA3_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0 ) {
+    if (Keccak1600_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0 ) {
       return 0;
     }
     ctx->buf_load = 0;
     // ctx->buf is processed, ctx->buf_load is guaranteed to be zero
   }
 
   if (len >= block_size) {
-    rem = SHA3_Absorb(ctx->A, data_ptr_copy, len, block_size);
+    rem = Keccak1600_Absorb(ctx->A, data_ptr_copy, len, block_size);
   }
   else {
     rem = len;
@@ -218,12 +218,12 @@ int SHA3_Final(uint8_t *md, KECCAK1600_CTX *ctx) {
     ctx->buf[num] = ctx->pad;
     ctx->buf[block_size - 1] |= 0x80;
 
-    if (SHA3_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0) {
+    if (Keccak1600_Absorb(ctx->A, ctx->buf, block_size, block_size) != 0) {
       return 0;
     }
   }
 
-  SHA3_Squeeze(ctx->A, md, ctx->md_size, block_size, ctx->padded);
+  Keccak1600_Squeeze(ctx->A, md, ctx->md_size, block_size, ctx->padded);
   ctx->padded = 1;
 
   FIPS_service_indicator_update_state();