bash-prg-hash: Initial implementation

[makavity]

1. I am not sure to assert in block_api
2. I am not sure in new and new_with_empty_header functions.

[makavity]

I am also not sure, it should be implemented as prg-hash.
Because AEAD algorithm uses start, squeeze, absorb and encrypt functions. But it is correct to implement encrypt here and make block_api methods - pub?

[newpavlov]

Sorry for the late review!

Some preliminary comments without looking deep at the implementation and the spec.

[makavity]

Thanks for review, @newpavlov.
As I see, all fixed

[makavity]

Looks like the sha1 is failed because timeout, not because PR changes.

[newpavlov]

I added TryCustomizedInit trait in digest v0.11.3. Also, take a look at #849 (the change was inspired by this PR), it should help to simplify the implementation.

[makavity]

I added TryCustomizedInit trait in digest v0.11.3. Also, take a look at #849 (the change was inspired by this PR), it should help to simplify the implementation.

Cannot implement squeeze.
In SpongeCursor::squeeze_u64_le:

for block in &mut blocks {
    sponge(state);

    let mut dst_chunks = block.chunks_exact_mut(size_of::<u64>());
    for (src, dst_chunk) in state.iter_mut().zip(&mut dst_chunks) {
        dst_chunk.copy_from_slice(&src.to_le_bytes());
    }
    assert!(dst_chunks.into_remainder().is_empty());
}

This does permute then read, while bash-prg-hash needs read then permute for the first block after commit(OUT) (and then permutation between full-rate blocks).
So the first output block must come from the current committed state, without an extra permutation. With current API, that path cannot be expressed directly, so reader squeeze still needs custom logic.

Should I left it as-is, or maybe another mode in SpongeCursor?

[makavity]

I've commited it without squeeze from SpongeCursor, have no idea how to use it in current approach.

[newpavlov]

Should I left it as-as, or maybe another mode in SpongeCursor?

Can not say right now, I will need to read the spec first.

[newpavlov]

Are there any vectors for customized hashing? IIUC they are not part of the STB. It may be worth to generate synthetic tests for it.

[makavity]

I'll check the testing methodic and will extend the tests.

[makavity]

Found it in the methodics.
https://apmi.bsu.by/assets/files/std/met-v10.zip

I'll add it and tweak xof_test for the try_new_customized.

[newpavlov]

See the cshake test for an example. We probably will add a function for this into a future version of digest.

[newpavlov]

I refactored the code a fair bit. Feel free to comment on the changes if something is not clear or if you have suggestions on how we could improve it.

I think this PR is mostly ready for merge. We only need to release sponge-cursor and add tests for customized hashes.

[newpavlov]

This looks a bit weird, but I guess it's a consequence of mixing little-endian byte order and big-endian bit order in the spec and commit acting on the state outside of the rate part. For comparison, in cshake and turboshake we use self.state[RATE / 8 - 1] ^= 1 << 63;.

[makavity]

I refactored the code a fair bit. Feel free to comment on the changes if something is not clear or if you have suggestions on how we could improve it.

Looks like the commit 1dc21053 broke the customization flow.
I'll commit the tests with announce, which worked before commit and continue to investigate.

[makavity]

Just misspell in the header length calculation.