[PATCH] crypto: Add Skein hash algorithm variants
This is the first draft of the Skein hash algorithm that was recently mentioned, as a prominent submission to NIST's SHA-3 competition. Website:http://www.schneier.com/skein.html It still needs more work, linux-ifying, testing, and reviewing. One note I forgot to mention in the commit itself, but should be considered when reviewing this: Skein permits the output digest size to be specified by the user. Skein-256 means 256 bits of internal state, NOT 256 bits of output digest. The output digest size is specified to Skein at init time. In my implementation below, I attempted to follow the Principle of Least Surprise, by hardcoding output digest size == internal state size. Thus, in my implementation, skein256 really does mean 256 output bits. I am currently pushing this work to the 'skein' branch of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/misc-2.6.git skein Comments welcome! --- crypto/Kconfig | 12 + crypto/Makefile|3 + crypto/skein.h | 265 ++ crypto/skein1024_generic.c | 518 crypto/skein256_generic.c | 367 +++ crypto/skein512_generic.c | 417 +++ 6 files changed, 1582 insertions(+), 0 deletions(-) create mode 100644 crypto/skein.h create mode 100644 crypto/skein1024_generic.c create mode 100644 crypto/skein256_generic.c create mode 100644 crypto/skein512_generic.c Jeff Garzik (1): [CRYPTO] Add Skein hash algorithm, 256-, 512-, and 1024-bit variants Import the public domain reference implementation of the Skein hash algorithm into the Linux Crypto API. This is a prominent submission to the NIST's competition for SHA-3. See Skein website for more info: http://www.schneier.com/skein.html This is just a rough import, and still needs more cleaning and Linux-ifying. Signed-off-by: Jeff Garzik [EMAIL PROTECTED] diff --git a/crypto/Kconfig b/crypto/Kconfig index 39dbd8e..f18868f 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -352,6 +352,18 @@ config CRYPTO_SHA512 This code also includes SHA-384, a 384 bit hash with 192 bits of security against collision attacks. +config CRYPTO_SKEIN256 + tristate Skein-256(256) digest algorithm + select CRYPTO_ALGAPI + +config CRYPTO_SKEIN512 + tristate Skein-512(512) digest algorithm + select CRYPTO_ALGAPI + +config CRYPTO_SKEIN1024 + tristate Skein-1024(1024) digest algorithm + select CRYPTO_ALGAPI + config CRYPTO_TGR192 tristate Tiger digest algorithms select CRYPTO_ALGAPI diff --git a/crypto/Makefile b/crypto/Makefile index 5862b80..10c3ca8 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -39,6 +39,9 @@ obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o +obj-$(CONFIG_CRYPTO_SKEIN256) += skein256_generic.o +obj-$(CONFIG_CRYPTO_SKEIN512) += skein512_generic.o +obj-$(CONFIG_CRYPTO_SKEIN1024) += skein1024_generic.o obj-$(CONFIG_CRYPTO_WP512) += wp512.o obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o diff --git a/crypto/skein.h b/crypto/skein.h new file mode 100644 index 000..2753b55 --- /dev/null +++ b/crypto/skein.h @@ -0,0 +1,265 @@ +#ifndef _SKEIN_H_ +#define _SKEIN_H_ 1 +/** +** +** Interface declarations and internal definitions for Skein hashing. +** +** Source code author: Doug Whiting, 2008. +** +** This algorithm and source code is released to the public domain. +** +*** +** +** The following compile-time switches may be defined to control some +** tradeoffs between speed, code size, error checking, and security. +** +** The default note explains what happens when the switch is not defined. +** +** SKEIN_DEBUG-- make callouts from inside Skein code +**to examine/display intermediate values. +**[default: no callouts (no overhead)] +** +** SKEIN_ERR_CHECK-- how error checking is handled inside Skein +**code. If not defined, most error checking +**is disabled (for performance). Otherwise, +**the switch value is interpreted as: +**0: use assert() to flag errors +**1: return SKEIN_FAIL to flag errors +** +***/ + +#include linux/types.h + +enum { + SKEIN_SUCCESS = 0, /* return codes from Skein calls */ + SKEIN_FAIL = 1, + SKEIN_BAD_HASHLEN = 2 +}; + +#define SKEIN_MODIFIER_WORDS ( 2)/* number of
[PATCH] crypto: add test vectors for skein256/512/1024
I grabed them from http://www.schneier.com/skein.html. The last test vector (3) in every category is currently deactivated because it failed always. It is unlikely that I made a type because I copy+pasted the tables + vim magiced them. So maybe code may missbehave on requests lengths which are not a multiple of 4 or the vectors can not be used due to some other limitations that I've overseen. Signed-off-by: Sebastian Andrzej Siewior [EMAIL PROTECTED] --- crypto/tcrypt.c | 24 crypto/testmgr.c | 27 + crypto/testmgr.h | 166 +- 3 files changed, 216 insertions(+), 1 deletions(-) diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c index 28a45a1..c7717e8 100644 --- a/crypto/tcrypt.c +++ b/crypto/tcrypt.c @@ -661,6 +661,18 @@ static void do_test(int m) tcrypt_test(ecb(seed)); break; + case 44: + tcrypt_test(skein256); + break; + + case 45: + tcrypt_test(skein512); + break; + + case 46: + tcrypt_test(skein1024); + break; + case 100: tcrypt_test(hmac(md5)); break; @@ -851,6 +863,18 @@ static void do_test(int m) test_hash_speed(rmd320, sec, generic_hash_speed_template); if (mode 300 mode 400) break; + case 318: + test_hash_speed(skein256, sec, generic_hash_speed_template); + if (mode 300 mode 400) break; + + case 319: + test_hash_speed(skein512, sec, generic_hash_speed_template); + if (mode 300 mode 400) break; + + case 320: + test_hash_speed(skein1024, sec, generic_hash_speed_template); + if (mode 300 mode 400) break; + case 399: break; diff --git a/crypto/testmgr.c b/crypto/testmgr.c index b828c6c..bc6fc7f 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1693,6 +1693,33 @@ static const struct alg_test_desc alg_test_descs[] = { } } }, { + .alg = skein1024, + .test = alg_test_hash, + .suite = { + .hash = { + .vecs = skein1024_tv_template, + .count = SKEIN1024_TEST_VECTORS + } + } + }, { + .alg = skein256, + .test = alg_test_hash, + .suite = { + .hash = { + .vecs = skein256_tv_template, + .count = SKEIN256_TEST_VECTORS + } + } + }, { + .alg = skein512, + .test = alg_test_hash, + .suite = { + .hash = { + .vecs = skein512_tv_template, + .count = SKEIN512_TEST_VECTORS + } + } + }, { .alg = tgr128, .test = alg_test_hash, .suite = { diff --git a/crypto/testmgr.h b/crypto/testmgr.h index dee94d9..ebed56f 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -27,7 +27,7 @@ struct hash_testvec { char *plaintext; char *digest; unsigned char tap[MAX_TAP]; - unsigned char psize; + u16 psize; unsigned char np; unsigned char ksize; }; @@ -986,6 +986,170 @@ static struct hash_testvec tgr128_tv_template[] = { }; /* + * SKEIN uses test vectors + * from http://www.schneier.com/code/skein_NIST_CD_101308.zip + * NIST/CD/KAT_MCT/skein_golden_kat_short.txt + */ +#define SKEIN256_TEST_VECTORS 2 +static struct hash_testvec skein256_tv_template[] = { + { + /* :Skein-256: 256-bit hash, msgLen = 8 bits */ + .plaintext = \xff, + .psize = 1, + .digest = \xa4\x7b\xe7\x1a\x18\x5b\xa0\xaf\x82\x0b\x3c\xe8\x45\xa3\xd3\x5a + \x80\xec\x64\xf9\x6a\x0d\x6a\x36\xe3\xf5\x36\x36\x24\xd8\xa0\x91, + }, { + /* :Skein-256: 256-bit hash, msgLen = 512 bits */ + .plaintext = \xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0 + \xef\xee\xed\xec\xeb\xea\xe9\xe8\xe7\xe6\xe5\xe4\xe3\xe2\xe1\xe0 + \xdf\xde\xdd\xdc\xdb\xda\xd9\xd8\xd7\xd6\xd5\xd4\xd3\xd2\xd1\xd0 + \xcf\xce\xcd\xcc\xcb\xca\xc9\xc8\xc7\xc6\xc5\xc4\xc3\xc2\xc1\xc0, + .psize = 64, + .digest = \xfa\x1a\x76\x2b\x6b\x1c\x72\xb7\x0d\x52\x92\x63\x53\xe1\x0e\xb8 + \xfb\x0e\xdd\x73\x13\xda\x20\xa2\x41\x31\x80\xb8\xe2\x89\xb8\x72, + }, { + /* :Skein-256: 256-bit hash, msgLen = 1016 bits. Tree: leaf=02, node=02, maxLevels=02 */ + .plaintext =
Re: [PATCH] crypto: add test vectors for skein256/512/1024
Sebastian Andrzej Siewior wrote: I grabed them from http://www.schneier.com/skein.html. The last test vector (3) in every category is currently deactivated because it failed always. It is unlikely that I made a type because I copy+pasted the tables + vim magiced them. So maybe code may missbehave on requests lengths which are not a multiple of 4 or the vectors can not be used due to some other limitations that I've overseen. Another thought: did you verify that the test vectors' output sizes matched the Linux kernel's? My implementation assumed a 256-bit output size for Skein-256, for example, but it is quite possible that Schneier and co. ran tests where the output size differed from the internal state size. Jeff -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html