summaryrefslogtreecommitdiffstats
path: root/third_party/rust/prio/src/vdaf/xof.rs
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/rust/prio/src/vdaf/xof.rs')
-rw-r--r--third_party/rust/prio/src/vdaf/xof.rs148
1 files changed, 110 insertions, 38 deletions
diff --git a/third_party/rust/prio/src/vdaf/xof.rs b/third_party/rust/prio/src/vdaf/xof.rs
index b38d176467..67881419df 100644
--- a/third_party/rust/prio/src/vdaf/xof.rs
+++ b/third_party/rust/prio/src/vdaf/xof.rs
@@ -1,8 +1,14 @@
// SPDX-License-Identifier: MPL-2.0
-//! Implementations of XOFs specified in [[draft-irtf-cfrg-vdaf-07]].
+//! Implementations of XOFs specified in [[draft-irtf-cfrg-vdaf-08]].
//!
-//! [draft-irtf-cfrg-vdaf-07]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/07/
+//! [draft-irtf-cfrg-vdaf-08]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/08/
+
+/// Value of the domain separation byte "D" used by XofTurboShake128 when invoking TurboSHAKE128.
+const XOF_TURBO_SHAKE_128_DOMAIN_SEPARATION: u8 = 1;
+/// Value of the domain separation byte "D" used by XofFixedKeyAes128 when invoking TurboSHAKE128.
+#[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
+const XOF_FIXED_KEY_AES_128_DOMAIN_SEPARATION: u8 = 2;
use crate::{
field::FieldElement,
@@ -21,13 +27,17 @@ use aes::{
};
#[cfg(feature = "crypto-dependencies")]
use ctr::Ctr64BE;
+#[cfg(feature = "crypto-dependencies")]
+use hmac::{Hmac, Mac};
use rand_core::{
impls::{next_u32_via_fill, next_u64_via_fill},
RngCore, SeedableRng,
};
+#[cfg(feature = "crypto-dependencies")]
+use sha2::Sha256;
use sha3::{
digest::{ExtendableOutput, Update, XofReader},
- Shake128, Shake128Core, Shake128Reader,
+ TurboShake128, TurboShake128Core, TurboShake128Reader,
};
#[cfg(feature = "crypto-dependencies")]
use std::fmt::Formatter;
@@ -76,8 +86,9 @@ impl<const SEED_SIZE: usize> ConstantTimeEq for Seed<SEED_SIZE> {
}
impl<const SEED_SIZE: usize> Encode for Seed<SEED_SIZE> {
- fn encode(&self, bytes: &mut Vec<u8>) {
+ fn encode(&self, bytes: &mut Vec<u8>) -> Result<(), CodecError> {
bytes.extend_from_slice(&self.0[..]);
+ Ok(())
}
fn encoded_len(&self) -> Option<usize> {
@@ -105,9 +116,9 @@ impl<S: RngCore> IntoFieldVec for S {
}
}
-/// An extendable output function (XOF) with the interface specified in [[draft-irtf-cfrg-vdaf-07]].
+/// An extendable output function (XOF) with the interface specified in [[draft-irtf-cfrg-vdaf-08]].
///
-/// [draft-irtf-cfrg-vdaf-07]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/07/
+/// [draft-irtf-cfrg-vdaf-08]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/08/
pub trait Xof<const SEED_SIZE: usize>: Clone + Debug {
/// The type of stream produced by this XOF.
type SeedStream: RngCore + Sized;
@@ -145,7 +156,9 @@ pub struct SeedStreamAes128(Ctr64BE<Aes128>);
#[cfg(feature = "crypto-dependencies")]
impl SeedStreamAes128 {
- pub(crate) fn new(key: &[u8], iv: &[u8]) -> Self {
+ /// Construct an instance of the seed stream with the given AES key `key` and initialization
+ /// vector `iv`.
+ pub fn new(key: &[u8], iv: &[u8]) -> Self {
SeedStreamAes128(<Ctr64BE<Aes128> as KeyIvInit>::new(key.into(), iv.into()))
}
@@ -187,17 +200,19 @@ impl Debug for SeedStreamAes128 {
}
}
-/// The XOF based on SHA-3 as specified in [[draft-irtf-cfrg-vdaf-07]].
+/// The XOF based on TurboSHAKE128 as specified in [[draft-irtf-cfrg-vdaf-08]].
///
-/// [draft-irtf-cfrg-vdaf-07]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/07/
+/// [draft-irtf-cfrg-vdaf-08]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/08/
#[derive(Clone, Debug)]
-pub struct XofShake128(Shake128);
+pub struct XofTurboShake128(TurboShake128);
-impl Xof<16> for XofShake128 {
- type SeedStream = SeedStreamSha3;
+impl Xof<16> for XofTurboShake128 {
+ type SeedStream = SeedStreamTurboShake128;
fn init(seed_bytes: &[u8; 16], dst: &[u8]) -> Self {
- let mut xof = Self(Shake128::from_core(Shake128Core::default()));
+ let mut xof = Self(TurboShake128::from_core(TurboShake128Core::new(
+ XOF_TURBO_SHAKE_128_DOMAIN_SEPARATION,
+ )));
Update::update(
&mut xof.0,
&[dst.len().try_into().expect("dst must be at most 255 bytes")],
@@ -211,21 +226,21 @@ impl Xof<16> for XofShake128 {
Update::update(&mut self.0, data);
}
- fn into_seed_stream(self) -> SeedStreamSha3 {
- SeedStreamSha3::new(self.0.finalize_xof())
+ fn into_seed_stream(self) -> SeedStreamTurboShake128 {
+ SeedStreamTurboShake128::new(self.0.finalize_xof())
}
}
-/// The seed stream produced by SHAKE128.
-pub struct SeedStreamSha3(Shake128Reader);
+/// The seed stream produced by TurboSHAKE128.
+pub struct SeedStreamTurboShake128(TurboShake128Reader);
-impl SeedStreamSha3 {
- pub(crate) fn new(reader: Shake128Reader) -> Self {
+impl SeedStreamTurboShake128 {
+ pub(crate) fn new(reader: TurboShake128Reader) -> Self {
Self(reader)
}
}
-impl RngCore for SeedStreamSha3 {
+impl RngCore for SeedStreamTurboShake128 {
fn fill_bytes(&mut self, dest: &mut [u8]) {
XofReader::read(&mut self.0, dest);
}
@@ -244,13 +259,13 @@ impl RngCore for SeedStreamSha3 {
}
}
-/// A `rand`-compatible interface to construct XofShake128 seed streams, with the domain separation tag
-/// and binder string both fixed as the empty string.
-impl SeedableRng for SeedStreamSha3 {
+/// A `rand`-compatible interface to construct XofTurboShake128 seed streams, with the domain
+/// separation tag and binder string both fixed as the empty string.
+impl SeedableRng for SeedStreamTurboShake128 {
type Seed = [u8; 16];
fn from_seed(seed: Self::Seed) -> Self {
- XofShake128::init(&seed, b"").into_seed_stream()
+ XofTurboShake128::init(&seed, b"").into_seed_stream()
}
}
@@ -269,7 +284,9 @@ pub struct XofFixedKeyAes128Key {
impl XofFixedKeyAes128Key {
/// Derive the fixed key from the domain separation tag and binder string.
pub fn new(dst: &[u8], binder: &[u8]) -> Self {
- let mut fixed_key_deriver = Shake128::from_core(Shake128Core::default());
+ let mut fixed_key_deriver = TurboShake128::from_core(TurboShake128Core::new(
+ XOF_FIXED_KEY_AES_128_DOMAIN_SEPARATION,
+ ));
Update::update(
&mut fixed_key_deriver,
&[dst.len().try_into().expect("dst must be at most 255 bytes")],
@@ -293,15 +310,15 @@ impl XofFixedKeyAes128Key {
}
}
-/// XofFixedKeyAes128 as specified in [[draft-irtf-cfrg-vdaf-07]]. This XOF is NOT RECOMMENDED for
+/// XofFixedKeyAes128 as specified in [[draft-irtf-cfrg-vdaf-08]]. This XOF is NOT RECOMMENDED for
/// general use; see Section 9 ("Security Considerations") for details.
///
-/// This XOF combines SHA-3 and a fixed-key mode of operation for AES-128. The key is "fixed" in
-/// the sense that it is derived (using SHAKE128) from the domain separation tag and binder
-/// strings, and depending on the application, these strings can be hard-coded. The seed is used to
-/// construct each block of input passed to a hash function built from AES-128.
+/// This XOF combines TurboSHAKE128 and a fixed-key mode of operation for AES-128. The key is
+/// "fixed" in the sense that it is derived (using TurboSHAKE128) from the domain separation tag and
+/// binder strings, and depending on the application, these strings can be hard-coded. The seed is
+/// used to construct each block of input passed to a hash function built from AES-128.
///
-/// [draft-irtf-cfrg-vdaf-07]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/07/
+/// [draft-irtf-cfrg-vdaf-08]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/08/
#[derive(Clone, Debug)]
#[cfg(all(feature = "crypto-dependencies", feature = "experimental"))]
#[cfg_attr(
@@ -309,7 +326,7 @@ impl XofFixedKeyAes128Key {
doc(cfg(all(feature = "crypto-dependencies", feature = "experimental")))
)]
pub struct XofFixedKeyAes128 {
- fixed_key_deriver: Shake128,
+ fixed_key_deriver: TurboShake128,
base_block: Block,
}
@@ -318,7 +335,7 @@ impl Xof<16> for XofFixedKeyAes128 {
type SeedStream = SeedStreamFixedKeyAes128;
fn init(seed_bytes: &[u8; 16], dst: &[u8]) -> Self {
- let mut fixed_key_deriver = Shake128::from_core(Shake128Core::default());
+ let mut fixed_key_deriver = TurboShake128::from_core(TurboShake128Core::new(2u8));
Update::update(
&mut fixed_key_deriver,
&[dst.len().try_into().expect("dst must be at most 255 bytes")],
@@ -433,6 +450,37 @@ impl RngCore for SeedStreamFixedKeyAes128 {
}
}
+/// XOF based on HMAC-SHA256 and AES128. This XOF is not part of the VDAF spec.
+#[cfg(feature = "crypto-dependencies")]
+#[cfg_attr(docsrs, doc(cfg(feature = "crypto-dependencies")))]
+#[derive(Clone, Debug)]
+pub struct XofHmacSha256Aes128(Hmac<Sha256>);
+
+#[cfg(feature = "crypto-dependencies")]
+impl Xof<32> for XofHmacSha256Aes128 {
+ type SeedStream = SeedStreamAes128;
+
+ fn init(seed_bytes: &[u8; 32], dst: &[u8]) -> Self {
+ let mut mac = <Hmac<Sha256> as Mac>::new_from_slice(seed_bytes).unwrap();
+ Mac::update(
+ &mut mac,
+ &[dst.len().try_into().expect("dst must be at most 255 bytes")],
+ );
+ Mac::update(&mut mac, dst);
+ Self(mac)
+ }
+
+ fn update(&mut self, data: &[u8]) {
+ Mac::update(&mut self.0, data);
+ }
+
+ fn into_seed_stream(self) -> SeedStreamAes128 {
+ let tag = Mac::finalize(self.0).into_bytes();
+ let (key, iv) = tag.split_at(16);
+ SeedStreamAes128::new(key, iv)
+ }
+}
+
#[cfg(test)]
mod tests {
use super::*;
@@ -480,10 +528,34 @@ mod tests {
}
#[test]
- fn xof_shake128() {
+ fn xof_turboshake128() {
let t: XofTestVector =
- serde_json::from_str(include_str!("test_vec/07/XofShake128.json")).unwrap();
- let mut xof = XofShake128::init(&t.seed.try_into().unwrap(), &t.dst);
+ serde_json::from_str(include_str!("test_vec/08/XofTurboShake128.json")).unwrap();
+ let mut xof = XofTurboShake128::init(&t.seed.try_into().unwrap(), &t.dst);
+ xof.update(&t.binder);
+
+ assert_eq!(
+ xof.clone().into_seed(),
+ Seed(t.derived_seed.try_into().unwrap())
+ );
+
+ let mut bytes = Cursor::new(t.expanded_vec_field128.as_slice());
+ let mut want = Vec::with_capacity(t.length);
+ while (bytes.position() as usize) < t.expanded_vec_field128.len() {
+ want.push(Field128::decode(&mut bytes).unwrap())
+ }
+ let got: Vec<Field128> = xof.clone().into_seed_stream().into_field_vec(t.length);
+ assert_eq!(got, want);
+
+ test_xof::<XofTurboShake128, 16>();
+ }
+
+ #[test]
+ fn xof_hmac_sha256_aes128() {
+ let t: XofTestVector =
+ serde_json::from_str(include_str!("test_vec/XofHmacSha256Aes128.json")).unwrap();
+
+ let mut xof = XofHmacSha256Aes128::init(&t.seed.try_into().unwrap(), &t.dst);
xof.update(&t.binder);
assert_eq!(
@@ -499,14 +571,14 @@ mod tests {
let got: Vec<Field128> = xof.clone().into_seed_stream().into_field_vec(t.length);
assert_eq!(got, want);
- test_xof::<XofShake128, 16>();
+ test_xof::<XofHmacSha256Aes128, 32>();
}
#[cfg(feature = "experimental")]
#[test]
fn xof_fixed_key_aes128() {
let t: XofTestVector =
- serde_json::from_str(include_str!("test_vec/07/XofFixedKeyAes128.json")).unwrap();
+ serde_json::from_str(include_str!("test_vec/08/XofFixedKeyAes128.json")).unwrap();
let mut xof = XofFixedKeyAes128::init(&t.seed.try_into().unwrap(), &t.dst);
xof.update(&t.binder);