Re: [PATCH v2] lib/crypto: Add SHA3-224, SHA3-256, SHA3-384, SHA-512, SHAKE128, SHAKE256

[Eric Biggers <ebiggers@kernel.org>]

On Tue, Sep 23, 2025 at 03:22:35PM +0100, David Howells wrote:
> Eric Biggers <ebiggers@kernel.org> wrote:
> 
> > Also, the parameter should be strongly typed: 'struct sha3_state *'
> > Likewise in all the other functions that take the raw u64 array.
> 
> Those function may be directly substituted by calls to assembly code - so
> u64[] is probably more appropriate.

We've been using strongly-typed state even for assembly functions.  See
the SHA-1, SHA-2, and ChaCha code.

> > > +	for (round = 0; round < KECCAK_ROUNDS; round++) {
> > > +		keccakf_round(st);
> > > +		/* Iota */
> > > +		st[0] ^= keccakf_rndc[round];
> > > +	}
> > 
> > In the spec, "Iota" is part of the round.  Having it be separate from
> > keccakf_round() in the code is confusing.
> 
> I assume that pertains to the comment about inlining in some way.  This is as
> is in sha3_generic.c.  I can move it into the round function if you like, but
> can you tell me what the effect will be?

The effect will be that the code will align more closely with how the
algorithm is described in the SHA-3 spec and other publications.

> > Second, the support for update() + squeeze() + update() + squeeze()
> > seems to be trying to achieve something that is not defined in the SHA-3
> > spec.  Could you elaborate on what it is meant to be doing, and why it's
> > here?  According to the spec, the XOFs SHAKE128 and SHAKE256 actually
> > just take a single message as their input.
> 
> Turns out I was misunderstanding what I was looking at whilst trying to adapt
> Leancrypto's dilithium code.  Whilst it does squeeze a context several times,
> it doesn't update it after finalising it without reinitialising it.

Yes, that's what I thought.

- Eric