Re: Basic SHA3 support (cryptographic discussion)
Hi, concerning the question who needs SHA3, we do not agree that SHA3 should be skipped as a standard. As cryptographers we sincerely believe that the SHA3 design is superior to the one of SHA256 also due to the process it was created. We believe that an efficient implementation will trigger increased use of the standard and hope that its user base will grow quickly once the commands are simply there. For the discussion, find here some additional arguments in favor of SHA3: - The construction of SHA3 differs considerably from the SHA2 constructions (which covers all variants). Cryptanalytic progress for SHA2 can destroy all variants at once, but will probably not affect SHA3. - SHA3's design principles are far better understood than the ones of SHA2. The invention of sponge functions is in our opinion one of the greatest inventions in hash-function design over the past few years. It is simple and brilliant, and the generic properties of the construction have appealing properties. - A possible migration away from SHA2 will be faster when including SHA3 in OpenBSD now if it should happen that major cryptanalytic advances attacking SHA2 pop up in the future. - The claim that we now "know" how to build secure hash functions in general seems problematic. To break a function, substantial cryptanalytic effort must be made. It is not clear how much of this effort was put in the presumably secure "newer" functions. - The argument that SHA3 is slow does at least not apply to the reference code we used: The current implementation of sha3-256 is indeed [slightly] faster on our machine than the one of sha256. Best regards, Daniel, Stefan and Alexander
Re: Basic SHA3 support
d a message digest, suitable for use as a digital signature. +There are four families of functions, with names corresponding to +the number of bits in the resulting message digest. +The functions can process a message of arbitrary length as input. +.Pp +The SHA-3 functions are considered to be more secure than the +.Xr sha1 3 +functions with which they share a similar interface. They are an +alternative to the +.Xr sha2 3 +functions. +The 224, 256, 384, and 512-bit versions of SHA-3 share the same interface. +For brevity, only the 256-bit variants are described below. +.Pp +The +.Fn SHA3_256Init +function initializes a SHA3_CTX +.Fa context +for use with +.Fn SHA3_256Update +and +.Fn SHA3_256Final . +The +.Fn SHA3_256Update +function adds +.Fa data +of length +.Fa len +to the SHA3_CTX specified by +.Fa context . +.Fn SHA3_256Final +is called when all data has been added via +.Fn SHA3_256Update +and stores a message digest in the +.Fa digest +parameter. +.Pp +The +.Fn SHA3_256End +function is a front end for +.Fn SHA3_256Final +which converts the digest into an +.Tn ASCII +representation of the digest in hexadecimal. +.Pp +The +.Fn SHA3_256File +function calculates the digest for a file and returns the result via +.Fn SHA3_256End . +If +.Fn SHA3_256File +is unable to open the file, a +.Dv NULL +pointer is returned. +.Pp +.Fn SHA3_256FileChunk +behaves like +.Fn SHA3_256File +but calculates the digest only for that portion of the file starting at +.Fa offset +and continuing for +.Fa length +bytes or until end of file is reached, whichever comes first. +A zero +.Fa length +can be specified to read until end of file. +A negative +.Fa length +or +.Fa offset +will be ignored. +.Pp +The +.Fn SHA3_256Data +function +calculates the digest of an arbitrary string and returns the result via +.Fn SHA3_256End . +.Pp +For each of the +.Fn SHA3_256End , +.Fn SHA3_256File , +.Fn SHA3_256FileChunk , +and +.Fn SHA3_256Data +functions the +.Fa buf +parameter should either be a string large enough to hold the resulting digest +(e.g.\& +.Dv SHA3_224_DIGEST_STRING_LENGTH , +.Dv SHA3_256_DIGEST_STRING_LENGTH , +.Dv SHA3_384_DIGEST_STRING_LENGTH , +.Dv SHA3_512_DIGEST_STRING_LENGTH , +or +.Dv SHA3_512_256_DIGEST_STRING_LENGTH , +depending on the function being used) +or a +.Dv NULL +pointer. +In the latter case, space will be dynamically allocated via +.Xr malloc 3 +and should be freed using +.Xr free 3 +when it is no longer needed. +.Sh EXAMPLES +The following code fragment will calculate the SHA3-256 digest for the string +.Qq abc , +which is +.Dq 0x3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 . +.Bd -literal -offset indent +SHA3_CTX ctx; +u_int8_t results[SHA3_256_DIGEST_LENGTH]; +char *buf; +int n; + +buf = "abc"; +n = strlen(buf); +SHA3_256Init(&ctx); +SHA3_256Update(&ctx, (u_int8_t *)buf, n); +SHA3_256Final(results, &ctx); + +/* Print the digest as one long hex value */ +printf("0x"); +for (n = 0; n \*(Lt SHA3_256_DIGEST_LENGTH; n++) + printf("%02x", results[n]); +putchar('\en'); +.Ed +.Pp +Alternately, the helper functions could be used in the following way: +.Bd -literal -offset indent +u_int8_t output[SHA3_256_DIGEST_STRING_LENGTH]; +char *buf = "abc"; + +printf("0x%s\en", SHA3_256Data(buf, strlen(buf), output)); +.Ed +.Sh SEE ALSO +.Xr cksum 1 , +.Xr md5 3 , +.Xr rmd160 3 , +.Xr sha1 3 , +.Xr sha2 3 +.Rs +.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions +.%O FIPS PUB 202 +.Re +.Pp +The +.Fn SHA3_256End , +.Fn SHA3_256File , +.Fn SHA3_256FileChunk , +and +.Fn SHA3_256Data +helper functions are derived from code written by +.An Poul-Henning Kamp . Index: lib/libc/hash/sha3.c === RCS file: lib/libc/hash/sha3.c diff -N lib/libc/hash/sha3.c --- /dev/null 1 Jan 1970 00:00:00 - +++ lib/libc/hash/sha3.c11 Jan 2018 09:04:18 - @@ -0,0 +1,761 @@ +/* + * Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni, + * Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby + * denoted as "the implementer". + * + * For more information, feedback or questions, please refer to our websites: + * http://keccak.noekeon.org/ + * http://keyak.noekeon.org/ + * http://ketje.noekeon.org/ + * + * Adaptation to OpenBSD in 2017/18 by + * Stefan-Lukas Gazdag, Alexander von Gernler and Daniel Loebenberger + * https://www.genua.de/ + * also denoted as "the implementer" + * + * To the extent possible under law, the implementer has waived all copyright + * and related or neighboring rights to the source code in this file. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +#include +#include +#include +#include +#include + +typedef unsigned long long tKeccakLane; + +#define SHA3_NRROUNDS 24 +#define SHA3_NRLANES 25 +#define SHA3_DELIMITER 0x06 + +#define index(x, y) (((x)
Re: Basic SHA3 support
+The +.Fn SHA3_256Init +function initializes a SHA3_CTX +.Fa context +for use with +.Fn SHA3_256Update +and +.Fn SHA3_256Final . +The +.Fn SHA3_256Update +function adds +.Fa data +of length +.Fa len +to the SHA3_CTX specified by +.Fa context . +.Fn SHA3_256Final +is called when all data has been added via +.Fn SHA3_256Update +and stores a message digest in the +.Fa digest +parameter. +.Pp +The +.Fn SHA3_256End +function is a front end for +.Fn SHA3_256Final +which converts the digest into an +.Tn ASCII +representation of the digest in hexadecimal. +.Pp +The +.Fn SHA3_256File +function calculates the digest for a file and returns the result via +.Fn SHA3_256End . +If +.Fn SHA3_256File +is unable to open the file, a +.Dv NULL +pointer is returned. +.Pp +.Fn SHA3_256FileChunk +behaves like +.Fn SHA3_256File +but calculates the digest only for that portion of the file starting at +.Fa offset +and continuing for +.Fa length +bytes or until end of file is reached, whichever comes first. +A zero +.Fa length +can be specified to read until end of file. +A negative +.Fa length +or +.Fa offset +will be ignored. +.Pp +The +.Fn SHA3_256Data +function +calculates the digest of an arbitrary string and returns the result via +.Fn SHA3_256End . +.Pp +For each of the +.Fn SHA3_256End , +.Fn SHA3_256File , +.Fn SHA3_256FileChunk , +and +.Fn SHA3_256Data +functions the +.Fa buf +parameter should either be a string large enough to hold the resulting digest +(e.g.\& +.Dv SHA3_224_DIGEST_STRING_LENGTH , +.Dv SHA3_256_DIGEST_STRING_LENGTH , +.Dv SHA3_384_DIGEST_STRING_LENGTH , +.Dv SHA3_512_DIGEST_STRING_LENGTH , +or +.Dv SHA3_512_256_DIGEST_STRING_LENGTH , +depending on the function being used) +or a +.Dv NULL +pointer. +In the latter case, space will be dynamically allocated via +.Xr malloc 3 +and should be freed using +.Xr free 3 +when it is no longer needed. +.Sh EXAMPLES +The following code fragment will calculate the SHA3-256 digest for the string +.Qq abc , +which is +.Dq 0x3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532 . +.Bd -literal -offset indent +SHA3_CTX ctx; +u_int8_t results[SHA3_256_DIGEST_LENGTH]; +char *buf; +int n; + +buf = "abc"; +n = strlen(buf); +SHA3_256Init(&ctx); +SHA3_256Update(&ctx, (u_int8_t *)buf, n); +SHA3_256Final(results, &ctx); + +/* Print the digest as one long hex value */ +printf("0x"); +for (n = 0; n \*(Lt SHA3_256_DIGEST_LENGTH; n++) + printf("%02x", results[n]); +putchar('\en'); +.Ed +.Pp +Alternately, the helper functions could be used in the following way: +.Bd -literal -offset indent +u_int8_t output[SHA3_256_DIGEST_STRING_LENGTH]; +char *buf = "abc"; + +printf("0x%s\en", SHA3_256Data(buf, strlen(buf), output)); +.Ed +.Sh SEE ALSO +.Xr cksum 1 , +.Xr md5 3 , +.Xr rmd160 3 , +.Xr sha1 3 , +.Xr sha2 3 +.Rs +.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions +.%O FIPS PUB 202 +.Re +.Pp +The +.Fn SHA3_256End , +.Fn SHA3_256File , +.Fn SHA3_256FileChunk , +and +.Fn SHA3_256Data +helper functions are derived from code written by +.An Poul-Henning Kamp . Index: lib/libc/hash/sha3.c === RCS file: lib/libc/hash/sha3.c diff -N lib/libc/hash/sha3.c --- /dev/null 1 Jan 1970 00:00:00 - +++ lib/libc/hash/sha3.c10 Jan 2018 13:44:01 - @@ -0,0 +1,761 @@ +/* + * Implementation by the Keccak, Keyak and Ketje Teams, namely, Guido Bertoni, + * Joan Daemen, Michaël Peeters, Gilles Van Assche and Ronny Van Keer, hereby + * denoted as "the implementer". + * + * For more information, feedback or questions, please refer to our websites: + * http://keccak.noekeon.org/ + * http://keyak.noekeon.org/ + * http://ketje.noekeon.org/ + * + * Adaptation to OpenBSD in 2017/18 by + * Stefan-Lukas Gazdag, Alexander von Gernler and Daniel Loebenberger + * https://www.genua.de/ + * also denoted as "the implementer" + * + * To the extent possible under law, the implementer has waived all copyright + * and related or neighboring rights to the source code in this file. + * http://creativecommons.org/publicdomain/zero/1.0/ + */ + +#include +#include +#include +#include +#include + +typedef unsigned long long tKeccakLane; + +#define SHA3_NRROUNDS 24 +#define SHA3_NRLANES 25 +#define SHA3_DELIMITER 0x06 + +#define index(x, y) (((x)%5)+5*((y)%5)) + +const tKeccakLane KeccakRoundConstants[SHA3_NRROUNDS] = +{ + 0x0001, + 0x8082, + 0x8000808a, + 0x800080008000, + 0x808b, + 0x8001, + 0x800080008081, + 0x80008009, + 0x008a, + 0x0088, + 0x80008009, + 0x800a, + 0x8000808b, + 0x808b, + 0x80008089, + 0x80008003, + 0x80008002, + 0x8080, +
Basic SHA3 support
Hi everyone, enclosed you find a patch to add basic SHA3-/Keccak support to OpenBSD. Changes have been made to libc, and a suite of sha3 checksum tools were added (sha3-224, sha3-256, sha3-384, sha-512), extending the existing md5(1) checksum tool. The SHA3 implementation itself was taken from the reference code written by the Keccak Team (https://keccak.team/) which is available under public domain (CC0). We'd be happy to see this in OpenBSD and appreciate any comments. Best regards, Daniel, Stefan and Alexander -- Dr. Daniel Loebenberger Evaluation & Research genua GmbH Domagkstrasse 7, 85551 Kirchheim bei München Tel. +49 89 991950-0, Fax -999, www.genua.de Geschäftsführer: Matthias Ochs, Marc Tesch. Amtsgericht München HRB 98238. Die genua GmbH ist ein Unternehmen der Bundesdruckerei-Gruppe. Index: bin/md5/Makefile === RCS file: /cvs/src/bin/md5/Makefile,v retrieving revision 1.15 diff -u -p -u -p -r1.15 Makefile --- bin/md5/Makefile30 Mar 2016 06:38:40 - 1.15 +++ bin/md5/Makefile9 Jan 2018 15:17:20 - @@ -2,13 +2,20 @@ PROG= md5 SRCS= crc.c md5.c -MAN= cksum.1 md5.1 + LINKS= ${BINDIR}/md5 ${BINDIR}/sha1 \ + ${BINDIR}/md5 ${BINDIR}/sha224 \ ${BINDIR}/md5 ${BINDIR}/sha256 \ + ${BINDIR}/md5 ${BINDIR}/sha384 \ ${BINDIR}/md5 ${BINDIR}/sha512 \ + ${BINDIR}/md5 ${BINDIR}/sha3-224 \ + ${BINDIR}/md5 ${BINDIR}/sha3-256 \ + ${BINDIR}/md5 ${BINDIR}/sha3-384 \ + ${BINDIR}/md5 ${BINDIR}/sha3-512 \ ${BINDIR}/md5 ${BINDIR}/cksum -CPPFLAGS+= -I${.CURDIR} +CPPFLAGS+=-I${.CURDIR} + COPTS+=-Wall -Wconversion -Wmissing-prototypes .include Index: bin/md5/md5.1 === RCS file: /cvs/src/bin/md5/md5.1,v retrieving revision 1.47 diff -u -p -u -p -r1.47 md5.1 --- bin/md5/md5.1 23 Feb 2017 20:46:08 - 1.47 +++ bin/md5/md5.1 9 Jan 2018 15:17:20 - @@ -18,14 +18,18 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd $Mdocdate: February 23 2017 $ +.Dd $Mdocdate: January 9 2018 $ .Dt MD5 1 .Os .Sh NAME .Nm md5 , .Nm sha1 , .Nm sha256 , -.Nm sha512 +.Nm sha512 , +.Nm sha3-224 , +.Nm sha3-256 , +.Nm sha3-384 , +.Nm sha3-512 .Nd calculate a message digest (checksum) for a file .Sh SYNOPSIS .Nm md5 @@ -52,6 +56,30 @@ .Op Fl h Ar hashfile .Op Fl s Ar string .Op Ar +.Nm sha3-224 +.Op Fl bcpqrtx +.Op Fl C Ar checklist +.Op Fl h Ar hashfile +.Op Fl s Ar string +.Op Ar +.Nm sha3-256 +.Op Fl bcpqrtx +.Op Fl C Ar checklist +.Op Fl h Ar hashfile +.Op Fl s Ar string +.Op Ar +.Nm sha3-384 +.Op Fl bcpqrtx +.Op Fl C Ar checklist +.Op Fl h Ar hashfile +.Op Fl s Ar string +.Op Ar +.Nm sha3-512 +.Op Fl bcpqrtx +.Op Fl C Ar checklist +.Op Fl h Ar hashfile +.Op Fl s Ar string +.Op Ar .Sh DESCRIPTION These utilities take as input a message of arbitrary length and produce as output a message digest (checksum) of the input. @@ -136,7 +164,13 @@ and \*(Gt0 if an error occurs. .%R RFC 3174 .%T US Secure Hash Algorithm 1 (SHA1) .Re +.Pp .Rs .%T Secure Hash Standard .%O FIPS PUB 180-2 +.Re +.Pp +.Rs +.%T SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions +.%O FIPS PUB 202 .Re Index: bin/md5/md5.c === RCS file: /cvs/src/bin/md5/md5.c,v retrieving revision 1.92 diff -u -p -u -p -r1.92 md5.c --- bin/md5/md5.c 11 Sep 2017 16:35:38 - 1.92 +++ bin/md5/md5.c 9 Jan 2018 15:17:20 - @@ -42,6 +42,7 @@ #include #include #include +#include #include #define STYLE_MD5 0 @@ -61,6 +62,7 @@ union ANY_CTX { SHA1_CTX sha1; #endif /* !defined(SHA2_ONLY) */ SHA2_CTX sha2; + SHA3_CTX sha3; }; struct hash_function { @@ -177,6 +179,50 @@ struct hash_function { (void (*)(void *, const unsigned char *, size_t))SHA512Update, (void (*)(unsigned char *, void *))SHA512Final, (char *(*)(void *, char *))SHA512End + }, + { + "SHA3-224", + SHA3_224_DIGEST_LENGTH, + STYLE_MD5, + 0, + NULL, + (void (*)(void *))SHA3_224Init, + (void (*)(void *, const unsigned char *, size_t))SHA3_Update, + (void (*)(unsigned char *, void *))SHA3_Final, + (char *(*)(void *, char *))SHA3_224End + }, + { + "SHA3-256", + SHA3_256_DIGEST_LENGTH, + STYLE_MD5, + 0, + NULL, + (void (*)(void *))SHA3_256Init, + (void (*)(void *, const unsigned char *, size_t))SHA3_Update, + (void (*)(unsigned char *, void *))SHA3_Final, +