blst, refactor: use fips202 to refactor blst_expand_message_xof.

blst/src/bbs_server.c

@@ -3,7 +3,7 @@
 #include "fields.h"
 #include "bytes.h"
 #include <stdio.h>
-#include <openssl/evp.h>
+#include <fips202/include/fips202.h>
 
 const POINTonE1 BLS12_381_G1_P1 = {
     { TO_LIMB_T(0xcbbca09048aca92e), TO_LIMB_T(0x44035f6216317fd5),
@@ -26,23 +26,25 @@ const POINTonE1 BLS12_381_G1_P1_XOF = {
 void blst_expand_message_xof(unsigned char* bytes, size_t len_in_bytes, const unsigned char* msg, size_t msg_len,
     const unsigned char* DST, size_t DST_len)
 {
-    EVP_MD_CTX* ctx = EVP_MD_CTX_new();
-    EVP_DigestInit_ex(ctx, EVP_shake256(), NULL);
+    shake256incctx ctx;
 
-    EVP_DigestUpdate(ctx, msg, msg_len);
+    shake256_inc_init(&ctx);
+
+    shake256_inc_absorb(&ctx, msg, msg_len);
 
     unsigned char buf[2];
     buf[0] = (len_in_bytes >> 8) & 0xff;
     buf[1] = len_in_bytes & 0xff;
-    EVP_DigestUpdate(ctx, buf, sizeof(buf));
+    shake256_inc_absorb(&ctx, buf, sizeof(buf));
 
-    EVP_DigestUpdate(ctx, DST, DST_len);
+    shake256_inc_absorb(&ctx, DST, DST_len);
 
     buf[0] = DST_len & 0xff;
-    EVP_DigestUpdate(ctx, buf, 1);
+    shake256_inc_absorb(&ctx, buf, 1);
 
-    EVP_DigestFinal_ex(ctx, bytes, &len_in_bytes);
-    EVP_MD_CTX_free(ctx);
+    shake256_inc_finalize(&ctx);
+    shake256_inc_squeeze(bytes, len_in_bytes, &ctx);
+    shake256_inc_ctx_release(&ctx);
 }
 
 void blst_hash_to_g1_xof(POINTonE1* p, const unsigned char* msg, size_t msg_len,

fips202/CMakeLists.txt

@@ -0,0 +1,3 @@
+cmake_minimum_required(VERSION 2.6)
+
+include(../build_tools/cmake/Library.cmake)

fips202/include/fips202.h

@@ -0,0 +1,174 @@
+#ifndef FIPS202_H
+#define FIPS202_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+#define SHA3_256_RATE 136
+#define SHA3_384_RATE 104
+#define SHA3_512_RATE 72
+
+#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t) * 26)
+#define PQC_SHAKECTX_BYTES (sizeof(uint64_t) * 25)
+
+// Context for incremental API
+typedef struct {
+    uint64_t* ctx;
+} shake128incctx;
+
+// Context for non-incremental API
+typedef struct {
+    uint64_t* ctx;
+} shake128ctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t* ctx;
+} shake256incctx;
+
+// Context for non-incremental API
+typedef struct {
+    uint64_t* ctx;
+} shake256ctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t* ctx;
+} sha3_256incctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t* ctx;
+} sha3_384incctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t* ctx;
+} sha3_512incctx;
+
+/* Initialize the state and absorb the provided input.
+ *
+ * This function does not support being called multiple times
+ * with the same state.
+ */
+void shake128_absorb(shake128ctx* state, const uint8_t* input, size_t inlen);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake128_squeezeblocks(uint8_t* output, size_t nblocks, shake128ctx* state);
+/* Free the state */
+void shake128_ctx_release(shake128ctx* state);
+/* Copy the state. */
+void shake128_ctx_clone(shake128ctx* dest, const shake128ctx* src);
+
+/* Initialize incremental hashing API */
+void shake128_inc_init(shake128incctx* state);
+/* Absorb more information into the XOF.
+ *
+ * Can be called multiple times.
+ */
+void shake128_inc_absorb(shake128incctx* state, const uint8_t* input, size_t inlen);
+/* Finalize the XOF for squeezing */
+void shake128_inc_finalize(shake128incctx* state);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake128_inc_squeeze(uint8_t* output, size_t outlen, shake128incctx* state);
+/* Copy the context of the SHAKE128 XOF */
+void shake128_inc_ctx_clone(shake128incctx* dest, const shake128incctx* src);
+/* Free the context of the SHAKE128 XOF */
+void shake128_inc_ctx_release(shake128incctx* state);
+
+/* Initialize the state and absorb the provided input.
+ *
+ * This function does not support being called multiple times
+ * with the same state.
+ */
+void shake256_absorb(shake256ctx* state, const uint8_t* input, size_t inlen);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake256_squeezeblocks(uint8_t* output, size_t nblocks, shake256ctx* state);
+/* Free the context held by this XOF */
+void shake256_ctx_release(shake256ctx* state);
+/* Copy the context held by this XOF */
+void shake256_ctx_clone(shake256ctx* dest, const shake256ctx* src);
+
+/* Initialize incremental hashing API */
+void shake256_inc_init(shake256incctx* state);
+void shake256_inc_absorb(shake256incctx* state, const uint8_t* input, size_t inlen);
+/* Prepares for squeeze phase */
+void shake256_inc_finalize(shake256incctx* state);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake256_inc_squeeze(uint8_t* output, size_t outlen, shake256incctx* state);
+/* Copy the state */
+void shake256_inc_ctx_clone(shake256incctx* dest, const shake256incctx* src);
+/* Free the state */
+void shake256_inc_ctx_release(shake256incctx* state);
+
+/* One-stop SHAKE128 call */
+void shake128(uint8_t* output, size_t outlen,
+    const uint8_t* input, size_t inlen);
+
+/* One-stop SHAKE256 call */
+void shake256(uint8_t* output, size_t outlen,
+    const uint8_t* input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_256_inc_init(sha3_256incctx* state);
+/* Absorb blocks into SHA3 */
+void sha3_256_inc_absorb(sha3_256incctx* state, const uint8_t* input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_256_inc_finalize(uint8_t* output, sha3_256incctx* state, uint8_t p);
+/* Copy the context */
+void sha3_256_inc_ctx_clone(sha3_256incctx* dest, const sha3_256incctx* src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_256_inc_ctx_release(sha3_256incctx* state);
+
+void sha3_256(uint8_t* output, const uint8_t* input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_384_inc_init(sha3_384incctx* state);
+/* Absorb blocks into SHA3 */
+void sha3_384_inc_absorb(sha3_384incctx* state, const uint8_t* input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_384_inc_finalize(uint8_t* output, sha3_384incctx* state, uint8_t p);
+/* Copy the context */
+void sha3_384_inc_ctx_clone(sha3_384incctx* dest, const sha3_384incctx* src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_384_inc_ctx_release(sha3_384incctx* state);
+
+/* One-stop SHA3-384 shop */
+void sha3_384(uint8_t* output, const uint8_t* input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_512_inc_init(sha3_512incctx* state);
+/* Absorb blocks into SHA3 */
+void sha3_512_inc_absorb(sha3_512incctx* state, const uint8_t* input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_512_inc_finalize(uint8_t* output, sha3_512incctx* state, uint8_t p);
+/* Copy the context */
+void sha3_512_inc_ctx_clone(sha3_512incctx* dest, const sha3_512incctx* src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_512_inc_ctx_release(sha3_512incctx* state);
+
+/* One-stop SHA3-512 shop */
+void sha3_512(uint8_t* output, const uint8_t* input, size_t inlen);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif