crypto: add a crypto.sha3 hash and extended output functions (#21664)

vlib/crypto/hmac/hmac_test.v

@@ -5,6 +5,7 @@ import crypto.md5
 import crypto.sha1
 import crypto.sha256
 import crypto.sha512
+import crypto.sha3
 import crypto.blake2s
 import crypto.blake2b
 import crypto.blake3
@@ -13,10 +14,6 @@ import crypto.blake3
 // import crypto.md4
 // import crypto.md5sha1
 // import crypto.ripemd160
-// import crypto.sha3_224
-// import crypto.sha3_256
-// import crypto.sha3_384
-// import crypto.sha3_512
 
 const keys = [
 	[u8(0xb), 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb],
@@ -307,6 +304,78 @@ fn test_hmac_blake3_256() {
 	}
 }
 
+fn test_hmac_sha3_512() {
+	sha3_512_expected_results := [
+		'd2d9588c7e7886b08e09b56a7ac9d7e30a4badf13b37a041f5dfde34d87c086b5db1a7ec679bcfce81fa2eee982573c01dfb8d988e302f78d7b20d7d7ac2dfd7',
+		'5a4bfeab6166427c7a3647b747292b8384537cdb89afb3bf5665e4c5e709350b287baec921fd7ca0ee7a0c31d022a95e1fc92ba9d77df883960275beb4e62024',
+		'f25055024a17dfe15a25d6c40b00f45e8548f641844f2288170430ba0b7889bfaf04d9398121d165375300fe813f3cb6db9639921dcfb712b9177b8f5261d474',
+		'b27eab1d6e8d87461c29f7f5739dd58e98aa35f8e823ad38c5492a2088fa0281993bbfff9a0e9c6bf121ae9ec9bb09d84a5ebac817182ea974673fb133ca0d1d',
+		'69e9553223ede3637f08f9cc01ea9ded8f3b4202b5cc1feb60071e195a942f0ca0fa1cd70d3f1f9f24b2e18057b3001e7d5160e61eb6099f75ea4e0d6b849bd2',
+		'eea495d39d9a07154b1266b028e233b9fd84de884ac8f0578e679f095ef14da96d0a355ed4738565884aec755c1b3f5ff09a918b437f6526e17dd8e77f425b95',
+		'1488670c683959b5304fa17c172bea81724a249b44981a3eb52cfc66ff0758b7cd1204745131b8adbc714db7fc4550ce26af5f2326067ad1e699f05cae8bb792',
+	]
+
+	mut result := ''
+	for i, key in hmac.keys {
+		result = new(key, hmac.data[i], sha3.sum512, sha3.rate_512).hex()
+		assert result == sha3_512_expected_results[i]
+	}
+}
+
+fn test_hmac_sha3_384() {
+	sha3_384_expected_results := [
+		'b34fdb255dc7fb7f0c4bb2c1caeb0379b81ece60ec1b3cb2c5ec509141fcb77ca16d1e06f93049734be4948e24b932e3',
+		'f1101f8cbf9766fd6764d2ed61903f21ca9b18f57cf3e1a23ca13508a93243ce48c045dc007f26a21b3f5e0e9df4c20a',
+		'5bd8a0b98f9f4201eaec41d01fd1e274c266a2517527c1879b0460a692e1a430aefb82f0c9aea33406582ffeeef0bba6',
+		'3a5d7a879702c086bc96d1dd8aa15d9c46446b95521311c606fdc4e308f4b984da2d0f9449b3ba8425ec7fb8c31bc136',
+		'0cdfc206fd95ca1f27e8e8bd443164814460ca50f8d34d776b18f9eb300231a3d5bace731f694a59faa84c2e4ae7e235',
+		'7172a2a2bb002c22669a2f85b8faaacfcc4e8a19d47ef5ee7a97f79bf21e1d89403ab3768b43929f12eded01e3ddd604',
+		'45081e207f796f372aff5a098249f52d045e350ed5c805b3445a79ad0d4931c4b86d41bd1bb2ac935d1b32c344d56709',
+	]
+
+	mut result := ''
+	for i, key in hmac.keys {
+		result = new(key, hmac.data[i], sha3.sum384, sha3.rate_384).hex()
+		assert result == sha3_384_expected_results[i]
+	}
+}
+
+fn test_hmac_sha3_256() {
+	sha3_256_expected_results := [
+		'874d1d4e6e8302439bf707052e5d787d92bffcf0715853784e30da740a81e198',
+		'c7d4072e788877ae3596bbb0da73b887c9171f93095b294ae857fbe2645e1ba5',
+		'b55008323817b4df9398f32fd09d3ce624a3ac2a4f329c3b750c47647990de2a',
+		'57366a45e2305321a4bc5aa5fe2ef8a921f6af8273d7fe7be6cfedb3f0aea6d7',
+		'a0cd54f140b61480cd22120d600e30c2508c4ae0d335fd69770f2b4ddc80cd19',
+		'016a1a59d67944c350d992a9bc1e8e7f6d1ace9c9ff6be92eda103961fe897ab',
+		'415c2b5cde6b2aecd637fa2384aa87e5a0b0c5bc20d53550bbac5474b18769bf',
+	]
+
+	mut result := ''
+	for i, key in hmac.keys {
+		result = new(key, hmac.data[i], sha3.sum256, sha3.rate_256).hex()
+		assert result == sha3_256_expected_results[i]
+	}
+}
+
+fn test_hmac_sha3_224() {
+	sha3_224_expected_results := [
+		'f68da7f7bf577de799bb1224b7acfef9e8de015a63475ed5904a4693',
+		'7fdb8dd88bd2f60d1b798634ad386811c2cfc85bfaf5d52bbace5e66',
+		'3c9b90dbbd88c2af888fb1b43ec9d424c7fbf0d2b9d0140952b110b5',
+		'a9d7685a19c4e0dbd9df2556cc8a7d2a7733b67625ce594c78270eeb',
+		'f865c4fe082e4dd1873a9d83e1ca3bf827c3256d91274574a8b66f13',
+		'852c3fb04b18a04df20c007e608027c44230fdd440cf7a50a0bc4fd9',
+		'14db797c7f4c69fd1d4c0ababeb9f90971fc62622cc7852dee156265',
+	]
+
+	mut result := ''
+	for i, key in hmac.keys {
+		result = new(key, hmac.data[i], sha3.sum224, sha3.rate_224).hex()
+		assert result == sha3_224_expected_results[i]
+	}
+}
+
 fn test_hmac_equal() {
 	mac1_1 := '7641c48a3b4aa8f887c07b3e83f96affb89c978fed8c96fcbbf4ad596eebfe496f9f16da6cd080ba393c6f365ad72b50d15c71bfb1d6b81f66a911786c6ce932'.bytes()
 	mac1_2 := '7641c48a3b4aa8f887c07b3e83f96affb89c978fed8c96fcbbf4ad596eebfe496f9f16da6cd080ba393c6f365ad72b50d15c71bfb1d6b81f66a911786c6ce932'.bytes()
@@ -317,41 +386,3 @@ fn test_hmac_equal() {
 	assert !equal(mac1_1, mac2_1)
 	assert !equal(mac1_1, mac2_2)
 }
-
-// not yet supported by crypto module
-// sha3_224_expected_results  := [
-// 'f68da7f7bf577de799bb1224b7acfef9e8de015a63475ed5904a4693'
-// '7fdb8dd88bd2f60d1b798634ad386811c2cfc85bfaf5d52bbace5e66'
-// '3c9b90dbbd88c2af888fb1b43ec9d424c7fbf0d2b9d0140952b110b5'
-// 'a9d7685a19c4e0dbd9df2556cc8a7d2a7733b67625ce594c78270eeb'
-// 'f865c4fe082e4dd1873a9d83e1ca3bf827c3256d91274574a8b66f13'
-// '852c3fb04b18a04df20c007e608027c44230fdd440cf7a50a0bc4fd9'
-// '14db797c7f4c69fd1d4c0ababeb9f90971fc62622cc7852dee156265'
-// ]
-// sha3_256_expected_results  := [
-// '874d1d4e6e8302439bf707052e5d787d92bffcf0715853784e30da740a81e198'
-// 'c7d4072e788877ae3596bbb0da73b887c9171f93095b294ae857fbe2645e1ba5'
-// 'b55008323817b4df9398f32fd09d3ce624a3ac2a4f329c3b750c47647990de2a'
-// '57366a45e2305321a4bc5aa5fe2ef8a921f6af8273d7fe7be6cfedb3f0aea6d7'
-// 'a0cd54f140b61480cd22120d600e30c2508c4ae0d335fd69770f2b4ddc80cd19'
-// '016a1a59d67944c350d992a9bc1e8e7f6d1ace9c9ff6be92eda103961fe897ab'
-// '415c2b5cde6b2aecd637fa2384aa87e5a0b0c5bc20d53550bbac5474b18769bf'
-// ]
-// sha3_384_expected_results  := [
-// 'b34fdb255dc7fb7f0c4bb2c1caeb0379b81ece60ec1b3cb2c5ec509141fcb77ca16d1e06f93049734be4948e24b932e3'
-// 'f1101f8cbf9766fd6764d2ed61903f21ca9b18f57cf3e1a23ca13508a93243ce48c045dc007f26a21b3f5e0e9df4c20a'
-// '5bd8a0b98f9f4201eaec41d01fd1e274c266a2517527c1879b0460a692e1a430aefb82f0c9aea33406582ffeeef0bba6'
-// '3a5d7a879702c086bc96d1dd8aa15d9c46446b95521311c606fdc4e308f4b984da2d0f9449b3ba8425ec7fb8c31bc136'
-// '0cdfc206fd95ca1f27e8e8bd443164814460ca50f8d34d776b18f9eb300231a3d5bace731f694a59faa84c2e4ae7e235'
-// '7172a2a2bb002c22669a2f85b8faaacfcc4e8a19d47ef5ee7a97f79bf21e1d89403ab3768b43929f12eded01e3ddd604'
-// '45081e207f796f372aff5a098249f52d045e350ed5c805b3445a79ad0d4931c4b86d41bd1bb2ac935d1b32c344d56709'
-// ]
-// sha3_512_expected_results  := [
-// 'd2d9588c7e7886b08e09b56a7ac9d7e30a4badf13b37a041f5dfde34d87c086b5db1a7ec679bcfce81fa2eee982573c01dfb8d988e302f78d7b20d7d7ac2dfd7'
-// '5a4bfeab6166427c7a3647b747292b8384537cdb89afb3bf5665e4c5e709350b287baec921fd7ca0ee7a0c31d022a95e1fc92ba9d77df883960275beb4e62024'
-// 'f25055024a17dfe15a25d6c40b00f45e8548f641844f2288170430ba0b7889bfaf04d9398121d165375300fe813f3cb6db9639921dcfb712b9177b8f5261d474'
-// 'b27eab1d6e8d87461c29f7f5739dd58e98aa35f8e823ad38c5492a2088fa0281993bbfff9a0e9c6bf121ae9ec9bb09d84a5ebac817182ea974673fb133ca0d1d'
-// '69e9553223ede3637f08f9cc01ea9ded8f3b4202b5cc1feb60071e195a942f0ca0fa1cd70d3f1f9f24b2e18057b3001e7d5160e61eb6099f75ea4e0d6b849bd2'
-// 'eea495d39d9a07154b1266b028e233b9fd84de884ac8f0578e679f095ef14da96d0a355ed4738565884aec755c1b3f5ff09a918b437f6526e17dd8e77f425b95'
-// '1488670c683959b5304fa17c172bea81724a249b44981a3eb52cfc66ff0758b7cd1204745131b8adbc714db7fc4550ce26af5f2326067ad1e699f05cae8bb792'
-// ]

vlib/crypto/sha3/sha3.v

@@ -0,0 +1,362 @@
+// Copyright (c) 2023 Kim Shrier. All rights reserved.
+// Use of this source code is governed by an MIT license
+// that can be found in the LICENSE file.
+// Package sha3 implements the 512, 384, 256, and 224
+// bit hash algorithms and the 128 and 256 bit
+// extended output functions as defined in
+// https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf.
+// Last updated: August 2015
+module sha3
+
+import math
+
+// size_224 is the size, in bytes, of a sha3 sum224 checksum.
+pub const size_224 = 28
+// size_256 is the size, in bytes, of a sha3 sum256 checksum.
+pub const size_256 = 32
+// size_384 is the size, in bytes, of a sha3 sum384 checksum.
+pub const size_384 = 48
+// size_512 is the size, in bytes, of a sha3 sum512 checksum.
+pub const size_512 = 64
+
+// rate_224 is the rate, in bytes, absorbed into the sponge on every permutation
+pub const rate_224 = 144
+// rate_256 is the rate, in bytes, absorbed into the sponge on every permutation
+pub const rate_256 = 136
+// rate_384 is the rate, in bytes, absorbed into the sponge on every permutation
+pub const rate_384 = 104
+// rate_512 is the rate, in bytes, absorbed into the sponge on every permutation
+pub const rate_512 = 72
+
+// xof_rate_128 is the capacity, in bytes, of a 128 bit extended output function sponge
+pub const xof_rate_128 = 168
+// xof_rate_256 is the capacity, in bytes, of a 256 bit extended output function sponge
+pub const xof_rate_256 = 136
+
+// the low order pad bits for a hash function
+const hash_pad = u8(0x06)
+
+// the low order pad bits for an extended output function
+const xof_pad = u8(0x1f)
+
+// new512 initializes the digest structure for a sha3 512 bit hash
+pub fn new512() !&Digest {
+	return new_digest(sha3.rate_512, sha3.size_512)!
+}
+
+// new384 initializes the digest structure for a sha3 384 bit hash
+pub fn new384() !&Digest {
+	return new_digest(sha3.rate_384, sha3.size_384)!
+}
+
+// new256 initializes the digest structure for a sha3 256 bit hash
+pub fn new256() !&Digest {
+	return new_digest(sha3.rate_256, sha3.size_256)!
+}
+
+// new224 initializes the digest structure for a sha3 224 bit hash
+pub fn new224() !&Digest {
+	return new_digest(sha3.rate_224, sha3.size_224)!
+}
+
+// new256_xof initializes the digest structure for a sha3 256 bit extended output function
+pub fn new256xof(output_len int) !&Digest {
+	return new_xof_digest(sha3.xof_rate_256, output_len)!
+}
+
+// new128_xof initializes the digest structure for a sha3 128 bit extended output function
+pub fn new128xof(output_len int) !&Digest {
+	return new_xof_digest(sha3.xof_rate_128, output_len)!
+}
+
+struct HashSizeError {
+	Error
+	size int
+}
+
+fn (err HashSizeError) msg() string {
+	return 'Hash size ${err.size} must be ${sha3.size_224}, ${sha3.size_256}, ${sha3.size_384}, or ${sha3.size_512}'
+}
+
+struct AbsorptionRateError {
+	Error
+	size int
+	rate int
+}
+
+fn (err AbsorptionRateError) msg() string {
+	return 'Absorption rate ${err.rate} is not compatible with a hash size of ${err.size}'
+}
+
+struct XOFRateError {
+	Error
+	rate int
+}
+
+fn (err XOFRateError) msg() string {
+	return 'Extended output rate ${err.rate} must be ${sha3.xof_rate_128} or ${sha3.xof_rate_256}'
+}
+
+struct XOFSizeError {
+	Error
+	size int
+}
+
+fn (err XOFSizeError) msg() string {
+	return 'Extended output size ${err.size} must be > 0'
+}
+
+struct Digest {
+	rate       int // the number of bytes absorbed per permutation
+	suffix     u8  // the domain suffix, 0x06 for hash, 0x1f for extended output
+	output_len int // the number of bytes to output
+mut:
+	input_buffer []u8  // temporary holding buffer for input bytes
+	s            State // the state of a kaccak-p[1600, 24] sponge
+}
+
+// new_digest creates an initialized digest structure based on
+// the hash size and whether or not you specify a MAC key.
+//
+// absorption_rate is the number of bytes to be absorbed into the
+//     sponge per permutation.
+//
+// hash_size - the number if bytes in the generated hash.
+//     Legal values are 224, 256, 384, and 512.
+pub fn new_digest(absorption_rate int, hash_size int) !&Digest {
+	match hash_size {
+		sha3.size_224 {
+			if absorption_rate != sha3.rate_224 {
+				return AbsorptionRateError{
+					rate: absorption_rate
+					size: hash_size
+				}
+			}
+		}
+		sha3.size_256 {
+			if absorption_rate != sha3.rate_256 {
+				return AbsorptionRateError{
+					rate: absorption_rate
+					size: hash_size
+				}
+			}
+		}
+		sha3.size_384 {
+			if absorption_rate != sha3.rate_384 {
+				return AbsorptionRateError{
+					rate: absorption_rate
+					size: hash_size
+				}
+			}
+		}
+		sha3.size_512 {
+			if absorption_rate != sha3.rate_512 {
+				return AbsorptionRateError{
+					rate: absorption_rate
+					size: hash_size
+				}
+			}
+		}
+		else {
+			return HashSizeError{
+				size: hash_size
+			}
+		}
+	}
+
+	d := Digest{
+		rate: absorption_rate
+		suffix: sha3.hash_pad
+		output_len: hash_size
+		s: State{}
+	}
+
+	return &d
+}
+
+// new_xof_digest creates an initialized digest structure based on
+// the absorption rate and how many bytes of output you need
+//
+// absorption_rate is the number of bytes to be absorbed into the
+//     sponge per permutation.  Legal values are xof_rate_128 and
+//     xof_rate_256.
+//
+// hash_size - the number if bytes in the generated hash.
+//     Legal values are positive integers.
+pub fn new_xof_digest(absorption_rate int, hash_size int) !&Digest {
+	match absorption_rate {
+		sha3.xof_rate_128, sha3.xof_rate_256 {
+			if hash_size < 1 {
+				return XOFSizeError{
+					size: hash_size
+				}
+			}
+		}
+		else {
+			return XOFRateError{
+				rate: absorption_rate
+			}
+		}
+	}
+
+	d := Digest{
+		rate: absorption_rate
+		suffix: sha3.xof_pad
+		output_len: hash_size
+		s: State{}
+	}
+
+	return &d
+}
+
+// write adds bytes to the sponge.
+//
+// This is the absorption phase of the computation.
+pub fn (mut d Digest) write(data []u8) ! {
+	// if no data is being added to the hash,
+	// just return
+	if data.len == 0 {
+		return
+	}
+
+	// absorb the input into the sponge
+	mut bytes_remaining := unsafe { data[..] }
+
+	if d.input_buffer.len != 0 {
+		// see if we can accumulate rate bytes to be absorbed
+		empty_space := d.rate - d.input_buffer.len
+
+		if bytes_remaining.len < empty_space {
+			d.input_buffer << bytes_remaining
+
+			// we have not accumulated rate bytes yet.
+			// just return.
+			return
+		} else {
+			// we have enough bytes to add rate bytes to the
+			// sponge.
+			d.input_buffer << bytes_remaining[..empty_space]
+			bytes_remaining = unsafe { bytes_remaining[empty_space..] }
+
+			// absorb them
+			d.s.xor_bytes(d.input_buffer[..d.rate], d.rate)
+			d.s.kaccak_p_1600_24()
+
+			d.input_buffer = ''.bytes()
+		}
+	}
+
+	// absorb the remaining bytes
+	for bytes_remaining.len >= d.rate {
+		d.s.xor_bytes(bytes_remaining[..d.rate], d.rate)
+		d.s.kaccak_p_1600_24()
+		bytes_remaining = unsafe { bytes_remaining[d.rate..] }
+	}
+
+	if bytes_remaining.len > 0 {
+		d.input_buffer = bytes_remaining
+	}
+
+	return
+}
+
+// checksum finalizes the hash and returns the generated bytes.
+pub fn (mut d Digest) checksum() []u8 {
+	return d.checksum_internal() or { panic(err) }
+}
+
+fn (mut d Digest) checksum_internal() ![]u8 {
+	// pad the last input bytes to have rate bytes
+	if d.input_buffer.len == d.rate - 1 {
+		// a single byte pad needs to be handled specially
+		d.input_buffer << u8(0x80 | d.suffix)
+	} else {
+		zero_pads := (d.rate - d.input_buffer.len) - 2
+
+		// add the first byte of padding
+		d.input_buffer << d.suffix
+
+		// add intermediate zero pad bytes
+		for _ in 0 .. zero_pads {
+			d.input_buffer << u8(0x00)
+		}
+
+		// add the last pad byte
+		d.input_buffer << u8(0x80)
+	}
+
+	d.s.xor_bytes(d.input_buffer[..d.rate], d.rate)
+	d.s.kaccak_p_1600_24()
+
+	// absorption is done.  on to squeezing.
+
+	// We know that we can extract rate bytes from the current
+	// state.  If the output_len is <= rate, we don't need to
+	// iterate and can just return the bytes from the current
+	// state.
+
+	if d.output_len <= d.rate {
+		return d.s.to_bytes()[..d.output_len]
+	}
+
+	// we need to squeeze the sponge a little harder to get
+	// longer strings of bytes.
+
+	mut output_bytes := []u8{cap: d.output_len}
+	mut remaining_ouput_len := d.output_len
+
+	for remaining_ouput_len > 0 {
+		mut byte_len_this_round := math.min[int](remaining_ouput_len, d.rate)
+		output_bytes << d.s.to_bytes()[..byte_len_this_round]
+
+		remaining_ouput_len -= byte_len_this_round
+
+		if remaining_ouput_len > 0 {
+			d.s.kaccak_p_1600_24()
+		}
+	}
+
+	return output_bytes
+}
+
+// sum512 returns the sha3 512 bit checksum of the data.
+pub fn sum512(data []u8) []u8 {
+	mut d := new512() or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}
+
+// sum384 returns the sha3 384 bit checksum of the data.
+pub fn sum384(data []u8) []u8 {
+	mut d := new384() or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}
+
+// sum256 returns the sha3 256 bit checksum of the data.
+pub fn sum256(data []u8) []u8 {
+	mut d := new256() or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}
+
+// sum224 returns the sha3 224 bit checksum of the data.
+pub fn sum224(data []u8) []u8 {
+	mut d := new224() or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}
+
+// shake256 returns the sha3 shake256 bit extended output
+pub fn shake256(data []u8, output_len int) []u8 {
+	mut d := new256xof(output_len) or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}
+
+// shake128 returns the sha3 shake128 bit extended output
+pub fn shake128(data []u8, output_len int) []u8 {
+	mut d := new128xof(output_len) or { panic(err) }
+	d.write(data) or { panic(err) }
+	return d.checksum_internal() or { panic(err) }
+}

vlib/crypto/sha3/sha3_state_generic.v

@@ -0,0 +1,311 @@
+// Copyright (c) 2023 Kim Shrier. All rights reserved.
+// Use of this source code is governed by an MIT license
+// that can be found in the LICENSE file.
+// Package sha3 implements the 512, 384, 256, and 224
+// bit hash algorithms and the 128 and 256 bit
+// extended output functions as defined in
+// https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf.
+// Last updated: August 2015
+module sha3
+
+import encoding.binary
+import math.bits
+
+// when the state is 1600 bits, a lane is 64 bits
+type Lane = u64
+
+// the state is a 5 x 5 array of lanes
+struct State {
+mut:
+	a [5][5]Lane
+}
+
+// to_bytes converts the state into a byte array
+//
+// A 1600 bit state fits into 200 bytes.
+//
+// The state consists of 25 u64 values arranged in a
+// 5 x 5 array.
+//
+// The state is not modified by this method.
+fn (s State) to_bytes() []u8 {
+	mut byte_array := []u8{len: 200, cap: 200}
+	mut index := 0
+
+	for y in 0 .. 5 {
+		for x in 0 .. 5 {
+			unsafe {
+				$if little_endian {
+					binary.little_endian_put_u64_at(mut byte_array, s.a[x][y], index)
+				} $else {
+					binary.big_endian_put_u64_at(mut byte_array, s.a[x][y], index)
+				}
+			}
+			index += 8
+		}
+	}
+
+	return byte_array
+}
+
+// from_bytes sets the state from an array of bytes
+//
+// A 1600 bit state fits into 200 bytes.  It is expected
+// that the input byte array is 200 bytes long.
+//
+// All 25 u64 values are set from the input byte array.
+fn (mut s State) from_bytes(byte_array []u8) {
+	mut index := 0
+
+	for y in 0 .. 5 {
+		for x in 0 .. 5 {
+			$if little_endian {
+				s.a[x][y] = binary.little_endian_u64_at(byte_array, index)
+			} $else {
+				s.a[x][y] = binary.big_endian_u64_at(byte_array, index)
+			}
+			index += 8
+		}
+	}
+}
+
+// xor_bytes xor's an array of bytes into the state
+//
+// This is how new data gets absorbed into the sponge.
+//
+// It is expected that the length of the byte array is
+// the same as the rate.  The rate is how many bytes
+// can be absorbed at one permutation of the state.
+//
+// The rate must be less than the size of the state
+// in bytes.
+fn (mut s State) xor_bytes(byte_array []u8, rate int) {
+	mut index := 0
+
+	for y in 0 .. 5 {
+		for x in 0 .. 5 {
+			$if little_endian {
+				s.a[x][y] ^= binary.little_endian_u64_at(byte_array, index)
+			} $else {
+				s.a[x][y] ^= binary.big_endian_u64_at(byte_array, index)
+			}
+			index += 8
+
+			if index >= rate {
+				return
+			}
+		}
+	}
+}
+
+// kaccak_p_1600_24 performs 24 rounnds on a 1600 bit state.
+//
+// The loop is unrolled to get a little better performance.
+fn (mut s State) kaccak_p_1600_24() {
+	s.rnd(0)
+	s.rnd(1)
+	s.rnd(2)
+	s.rnd(3)
+	s.rnd(4)
+	s.rnd(5)
+	s.rnd(6)
+	s.rnd(7)
+	s.rnd(8)
+	s.rnd(9)
+	s.rnd(10)
+	s.rnd(11)
+	s.rnd(12)
+	s.rnd(13)
+	s.rnd(14)
+	s.rnd(15)
+	s.rnd(16)
+	s.rnd(17)
+	s.rnd(18)
+	s.rnd(19)
+	s.rnd(20)
+	s.rnd(21)
+	s.rnd(22)
+	s.rnd(23)
+}
+
+// rnd is a single round of stepping functions.
+//
+// The definition of a round is the application of the stepping
+// functions theta, rho, pi, chi, and iota, in order, on the
+// state.  The round index also influences the outcome and is
+// constrained to be 0 <= round_index < 24.
+@[inline]
+fn (mut s State) rnd(round_index int) {
+	s.theta()
+	s.rho()
+	s.pi()
+	s.chi()
+	s.iota(round_index)
+}
+
+// theta is the first step mapping function.  It is defined as:
+//
+// 1. For all pairs (x, z) such that 0 <= x < 5 and 0 <= z < w, let
+//    C[x, z] = A[x, 0, z] xor A[x, 1, z] xor A[x, 2, z] xor A[x, 3, z] xor A[x, 4, z].
+// 2. For all pairs (x, z) such that 0 <= x < 5 and 0 <= z < w let
+//    D[x, z] = C[(x-1) mod 5, z] xor C[(x+1) mod 5, (z – 1) mod w].
+// 3. For all triples (x, y, z) such that 0 <= x < 5, 0 <= y < 5, and 0 <=≤ z < w, let
+//    A′[x, y, z] = A[x, y, z] xor D[x, z].
+//
+// A is the 5 x 5 x w state matrix.  w is the number of bits in the z axis, 64 in our case.
+//
+// We can represent a lane from the state matrix as a u64 value and operate
+// on all the bite in the lane with a single 64-bit operation.  And, since
+// we represent a lane as a u64 value, we can reduce the state to a 2
+// dimensional array of u64 values.
+@[inline]
+fn (mut s State) theta() {
+	// calculate the 5 intermediate C values
+	mut c := [5]Lane{init: 0}
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			c[x] ^= s.a[x][y]
+		}
+	}
+
+	// calculate the 5 intermediate D values
+	mut d := [5]Lane{init: 0}
+	for x in 0 .. 5 {
+		d[x] = bits.rotate_left_64(c[(x + 1) % 5], 1) ^ c[(x + 4) % 5]
+	}
+
+	// add the D values back into the state
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			s.a[x][y] ^= d[x]
+		}
+	}
+}
+
+// rho_offsets are the amount of rotation to apply to a particular lane
+// given its position in the state matrix.
+const rho_offsets = [[int(0), 36, 3, 41, 18], [int(1), 44, 10, 45, 2],
+	[int(62), 6, 43, 15, 61], [int(28), 55, 25, 21, 56], [int(27), 20, 39, 8, 14]]
+
+// rho is the second step mapping function.  It is defined as:
+//
+// 1. For all z such that 0 <= z < w, let A′ [0, 0, z] = A[0, 0, z].
+// 2. Let (x, y) = (1, 0).
+// 3. For t from 0 to 23:
+//      a. for all z such that 0 <= z < w, let A′[x, y, z] = A[x, y, (z – (t + 1)(t + 2)/2) mod w];
+//      b. let (x, y) = (y, (2x + 3y) mod 5).
+//
+// A is the 5 x 5 x w state matrix.  w is the number of bits in the z axis, 64 in our case.
+//
+// Step 1 looks worthless since A' will be overwtitten by step 3a.
+//
+// Steps 2 and 3b are defining how the x and y values are initialized and updated
+// as t goes from 0 to 23.  Notice that the initial value of x, y of 0, 0 is not
+// calculated and is just zero.  The other 24 values needed are calculated,
+// making a total of 25, which is the total number of lanes in the state.  By
+// setting the offset at 0, 0 to 0, that lane does not get rotated.
+//
+// The effect of step 3a is to rotate a 64-bit lane by the amount calculated by
+// (((t + 1) * (t + 2)) / 2) % 64.  In order to save time, these rotation values,
+// called offsets, can be calculated ahead of time.
+@[inline]
+fn (mut s State) rho() {
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			s.a[x][y] = bits.rotate_left_64(s.a[x][y], sha3.rho_offsets[x][y])
+		}
+	}
+}
+
+// pi is the third step mapping function.  It is defined as:
+//
+// 1. For all triples (x, y, z) such that 0 <= x < 5, 0 <= y < 5, and 0 <= z < w, let
+//    A′[x, y, z]= A[(x + 3y) mod 5, x, z].
+//
+// A is the 5 x 5 x w state matrix.  w is the number of bits in the z axis, 64 in our case.
+//
+// For this function, we will need to have a temporary version of the state for
+// holding the rearranged lanes.
+@[inline]
+fn (mut s State) pi() {
+	mut a_prime := [5][5]Lane{}
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			a_prime[x][y] = s.a[(x + (3 * y)) % 5][x]
+		}
+	}
+
+	// make the temporary state be the returned state
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			s.a[x][y] = a_prime[x][y]
+		}
+	}
+}
+
+// chi is the fourth step mapping function.  It is defined as:
+//
+// 1. For all triples (x, y, z) such that 0 <= x < 5, 0 <= y < 5, and 0 <= z < w, let
+//    A′ [x, y, z] = A[x, y, z] xor ((A[(x+1) mod 5, y, z] xor 1) & A[(x+2) mod 5, y, z]).
+//
+// A is the 5 x 5 x w state matrix.  w is the number of bits in the z axis, 64 in our case.
+//
+// The effect of chi is to XOR each bit with a non-linear function of two other bits
+// in its row.
+//
+// For this function, we will need to have a temporary version of the state for
+// holding the changed lanes.
+@[inline]
+fn (mut s State) chi() {
+	mut a_prime := [5][5]Lane{}
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			a_prime[x][y] = s.a[x][y] ^ (~(s.a[(x + 1) % 5][y]) & s.a[(x + 2) % 5][y])
+		}
+	}
+
+	// make the temporary state be the returned state
+	for x in 0 .. 5 {
+		for y in 0 .. 5 {
+			s.a[x][y] = a_prime[x][y]
+		}
+	}
+}
+
+// iota_round_constants are precomputed xor masks for the iota function
+const iota_round_constants = [u64(0x0000000000000001), 0x0000000000008082, 0x800000000000808a,
+	0x8000000080008000, 0x000000000000808b, 0x0000000080000001, 0x8000000080008081,
+	0x8000000000008009, 0x000000000000008a, 0x0000000000000088, 0x0000000080008009,
+	0x000000008000000a, 0x000000008000808b, 0x800000000000008b, 0x8000000000008089,
+	0x8000000000008003, 0x8000000000008002, 0x8000000000000080, 0x000000000000800a,
+	0x800000008000000a, 0x8000000080008081, 0x8000000000008080, 0x0000000080000001,
+	0x8000000080008008]
+
+// iota is the fifth step mapping function.  It is defined as:
+//
+// 1. For all triples (x, y, z) such that 0 <= x < 5, 0 <= y < 5, and 0 <= z < w, let
+//    A′[x, y, z] = A[x, y, z].
+// 2. Let RC = 0**w
+// 3. For j from 0 to l, let RC[2**j – 1] = rc(j + 7i_r).
+// 4. For all z such that 0 ≤ z < w, let A′ [0, 0, z] = A′ [0, 0, z] xor RC[z].
+//
+// A is the 5 x 5 x w state matrix.  w is the number of bits in the z axis, 64 in our case.
+//
+// This is pretty ugly.  Fortunately, all the uglyness can be precomputed so that
+// all we need to do is xor lane 0, 0 with the appropriate precomputed value.  These
+// precomputed values are indexed by the round which is being applied.  For sha3,
+// the number of rounds is 24 so we just need to precompute the 24 valuse needed
+// to xor with lane 0, 0.
+@[inline]
+fn (mut s State) iota(round_index int) {
+	s.a[0][0] ^= sha3.iota_round_constants[round_index]
+}
+
+fn (s State) str() string {
+	mut output := '\n             y = 0            y = 1            y = 2            y = 3            y = 4\n'
+	for x in 0 .. 5 {
+		output += 'x = ${x}: ${s.a[x][0]:016x} ${s.a[x][1]:016x} ${s.a[x][2]:016x} ${s.a[x][3]:016x} ${s.a[x][4]:016x}\n'
+	}
+
+	return output
+}

vlib/crypto/sha3/sha3_test.v

@@ -0,0 +1,236 @@
+module sha3
+
+const empty_message_sha3_224 = [u8(0x6B), 0x4E, 0x03, 0x42, 0x36, 0x67, 0xDB, 0xB7, 0x3B, 0x6E,
+	0x15, 0x45, 0x4F, 0x0E, 0xB1, 0xAB, 0xD4, 0x59, 0x7F, 0x9A, 0x1B, 0x07, 0x8E, 0x3F, 0x5B, 0x5A,
+	0x6B, 0xC7]
+const empty_message_sha3_256 = [u8(0xA7), 0xFF, 0xC6, 0xF8, 0xBF, 0x1E, 0xD7, 0x66, 0x51, 0xC1,
+	0x47, 0x56, 0xA0, 0x61, 0xD6, 0x62, 0xF5, 0x80, 0xFF, 0x4D, 0xE4, 0x3B, 0x49, 0xFA, 0x82, 0xD8,
+	0x0A, 0x4B, 0x80, 0xF8, 0x43, 0x4A]
+const empty_message_sha3_384 = [u8(0x0C), 0x63, 0xA7, 0x5B, 0x84, 0x5E, 0x4F, 0x7D, 0x01, 0x10,
+	0x7D, 0x85, 0x2E, 0x4C, 0x24, 0x85, 0xC5, 0x1A, 0x50, 0xAA, 0xAA, 0x94, 0xFC, 0x61, 0x99, 0x5E,
+	0x71, 0xBB, 0xEE, 0x98, 0x3A, 0x2A, 0xC3, 0x71, 0x38, 0x31, 0x26, 0x4A, 0xDB, 0x47, 0xFB, 0x6B,
+	0xD1, 0xE0, 0x58, 0xD5, 0xF0, 0x04]
+const empty_message_sha3_512 = [u8(0xA6), 0x9F, 0x73, 0xCC, 0xA2, 0x3A, 0x9A, 0xC5, 0xC8, 0xB5,
+	0x67, 0xDC, 0x18, 0x5A, 0x75, 0x6E, 0x97, 0xC9, 0x82, 0x16, 0x4F, 0xE2, 0x58, 0x59, 0xE0, 0xD1,
+	0xDC, 0xC1, 0x47, 0x5C, 0x80, 0xA6, 0x15, 0xB2, 0x12, 0x3A, 0xF1, 0xF5, 0xF9, 0x4C, 0x11, 0xE3,
+	0xE9, 0x40, 0x2C, 0x3A, 0xC5, 0x58, 0xF5, 0x00, 0x19, 0x9D, 0x95, 0xB6, 0xD3, 0xE3, 0x01, 0x75,
+	0x85, 0x86, 0x28, 0x1D, 0xCD, 0x26]
+
+fn test_0_length_hash() {
+	input := []u8{}
+
+	output_224 := sum224(input)
+	assert output_224 == sha3.empty_message_sha3_224
+
+	output_256 := sum256(input)
+	assert output_256 == sha3.empty_message_sha3_256
+
+	output_384 := sum384(input)
+	assert output_384 == sha3.empty_message_sha3_384
+
+	output_512 := sum512(input)
+	assert output_512 == sha3.empty_message_sha3_512
+}
+
+const input_200 = [u8(0xa3), 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3,
+	0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3, 0xa3]
+
+const test_200_message_sha3_224 = [u8(0x93), 0x76, 0x81, 0x6A, 0xBA, 0x50, 0x3F, 0x72, 0xF9, 0x6C,
+	0xE7, 0xEB, 0x65, 0xAC, 0x09, 0x5D, 0xEE, 0xE3, 0xBE, 0x4B, 0xF9, 0xBB, 0xC2, 0xA1, 0xCB, 0x7E,
+	0x11, 0xE0]
+
+const test_200_message_sha3_256 = [u8(0x79), 0xF3, 0x8A, 0xDE, 0xC5, 0xC2, 0x03, 0x07, 0xA9, 0x8E,
+	0xF7, 0x6E, 0x83, 0x24, 0xAF, 0xBF, 0xD4, 0x6C, 0xFD, 0x81, 0xB2, 0x2E, 0x39, 0x73, 0xC6, 0x5F,
+	0xA1, 0xBD, 0x9D, 0xE3, 0x17, 0x87]
+
+const test_200_message_sha3_384 = [u8(0x18), 0x81, 0xDE, 0x2C, 0xA7, 0xE4, 0x1E, 0xF9, 0x5D, 0xC4,
+	0x73, 0x2B, 0x8F, 0x5F, 0x00, 0x2B, 0x18, 0x9C, 0xC1, 0xE4, 0x2B, 0x74, 0x16, 0x8E, 0xD1, 0x73,
+	0x26, 0x49, 0xCE, 0x1D, 0xBC, 0xDD, 0x76, 0x19, 0x7A, 0x31, 0xFD, 0x55, 0xEE, 0x98, 0x9F, 0x2D,
+	0x70, 0x50, 0xDD, 0x47, 0x3E, 0x8F]
+
+const test_200_message_sha3_512 = [u8(0xE7), 0x6D, 0xFA, 0xD2, 0x20, 0x84, 0xA8, 0xB1, 0x46, 0x7F,
+	0xCF, 0x2F, 0xFA, 0x58, 0x36, 0x1B, 0xEC, 0x76, 0x28, 0xED, 0xF5, 0xF3, 0xFD, 0xC0, 0xE4, 0x80,
+	0x5D, 0xC4, 0x8C, 0xAE, 0xEC, 0xA8, 0x1B, 0x7C, 0x13, 0xC3, 0x0A, 0xDF, 0x52, 0xA3, 0x65, 0x95,
+	0x84, 0x73, 0x9A, 0x2D, 0xF4, 0x6B, 0xE5, 0x89, 0xC5, 0x1C, 0xA1, 0xA4, 0xA8, 0x41, 0x6D, 0xF6,
+	0x54, 0x5A, 0x1C, 0xE8, 0xBA, 0x00]
+
+fn test_200_length_hash() {
+	output_224 := sum224(sha3.input_200)
+	assert output_224 == sha3.test_200_message_sha3_224
+
+	output_256 := sum256(sha3.input_200)
+	assert output_256 == sha3.test_200_message_sha3_256
+
+	output_384 := sum384(sha3.input_200)
+	assert output_384 == sha3.test_200_message_sha3_384
+
+	output_512 := sum512(sha3.input_200)
+	assert output_512 == sha3.test_200_message_sha3_512
+}
+
+const empty_message_shake128 = [u8(0x7F), 0x9C, 0x2B, 0xA4, 0xE8, 0x8F, 0x82, 0x7D, 0x61, 0x60,
+	0x45, 0x50, 0x76, 0x05, 0x85, 0x3E, 0xD7, 0x3B, 0x80, 0x93, 0xF6, 0xEF, 0xBC, 0x88, 0xEB, 0x1A,
+	0x6E, 0xAC, 0xFA, 0x66, 0xEF, 0x26, 0x3C, 0xB1, 0xEE, 0xA9, 0x88, 0x00, 0x4B, 0x93, 0x10, 0x3C,
+	0xFB, 0x0A, 0xEE, 0xFD, 0x2A, 0x68, 0x6E, 0x01, 0xFA, 0x4A, 0x58, 0xE8, 0xA3, 0x63, 0x9C, 0xA8,
+	0xA1, 0xE3, 0xF9, 0xAE, 0x57, 0xE2, 0x35, 0xB8, 0xCC, 0x87, 0x3C, 0x23, 0xDC, 0x62, 0xB8, 0xD2,
+	0x60, 0x16, 0x9A, 0xFA, 0x2F, 0x75, 0xAB, 0x91, 0x6A, 0x58, 0xD9, 0x74, 0x91, 0x88, 0x35, 0xD2,
+	0x5E, 0x6A, 0x43, 0x50, 0x85, 0xB2, 0xBA, 0xDF, 0xD6, 0xDF, 0xAA, 0xC3, 0x59, 0xA5, 0xEF, 0xBB,
+	0x7B, 0xCC, 0x4B, 0x59, 0xD5, 0x38, 0xDF, 0x9A, 0x04, 0x30, 0x2E, 0x10, 0xC8, 0xBC, 0x1C, 0xBF,
+	0x1A, 0x0B, 0x3A, 0x51, 0x20, 0xEA, 0x17, 0xCD, 0xA7, 0xCF, 0xAD, 0x76, 0x5F, 0x56, 0x23, 0x47,
+	0x4D, 0x36, 0x8C, 0xCC, 0xA8, 0xAF, 0x00, 0x07, 0xCD, 0x9F, 0x5E, 0x4C, 0x84, 0x9F, 0x16, 0x7A,
+	0x58, 0x0B, 0x14, 0xAA, 0xBD, 0xEF, 0xAE, 0xE7, 0xEE, 0xF4, 0x7C, 0xB0, 0xFC, 0xA9, 0x76, 0x7B,
+	0xE1, 0xFD, 0xA6, 0x94, 0x19, 0xDF, 0xB9, 0x27, 0xE9, 0xDF, 0x07, 0x34, 0x8B, 0x19, 0x66, 0x91,
+	0xAB, 0xAE, 0xB5, 0x80, 0xB3, 0x2D, 0xEF, 0x58, 0x53, 0x8B, 0x8D, 0x23, 0xF8, 0x77, 0x32, 0xEA,
+	0x63, 0xB0, 0x2B, 0x4F, 0xA0, 0xF4, 0x87, 0x33, 0x60, 0xE2, 0x84, 0x19, 0x28, 0xCD, 0x60, 0xDD,
+	0x4C, 0xEE, 0x8C, 0xC0, 0xD4, 0xC9, 0x22, 0xA9, 0x61, 0x88, 0xD0, 0x32, 0x67, 0x5C, 0x8A, 0xC8,
+	0x50, 0x93, 0x3C, 0x7A, 0xFF, 0x15, 0x33, 0xB9, 0x4C, 0x83, 0x4A, 0xDB, 0xB6, 0x9C, 0x61, 0x15,
+	0xBA, 0xD4, 0x69, 0x2D, 0x86, 0x19, 0xF9, 0x0B, 0x0C, 0xDF, 0x8A, 0x7B, 0x9C, 0x26, 0x40, 0x29,
+	0xAC, 0x18, 0x5B, 0x70, 0xB8, 0x3F, 0x28, 0x01, 0xF2, 0xF4, 0xB3, 0xF7, 0x0C, 0x59, 0x3E, 0xA3,
+	0xAE, 0xEB, 0x61, 0x3A, 0x7F, 0x1B, 0x1D, 0xE3, 0x3F, 0xD7, 0x50, 0x81, 0xF5, 0x92, 0x30, 0x5F,
+	0x2E, 0x45, 0x26, 0xED, 0xC0, 0x96, 0x31, 0xB1, 0x09, 0x58, 0xF4, 0x64, 0xD8, 0x89, 0xF3, 0x1B,
+	0xA0, 0x10, 0x25, 0x0F, 0xDA, 0x7F, 0x13, 0x68, 0xEC, 0x29, 0x67, 0xFC, 0x84, 0xEF, 0x2A, 0xE9,
+	0xAF, 0xF2, 0x68, 0xE0, 0xB1, 0x70, 0x0A, 0xFF, 0xC6, 0x82, 0x0B, 0x52, 0x3A, 0x3D, 0x91, 0x71,
+	0x35, 0xF2, 0xDF, 0xF2, 0xEE, 0x06, 0xBF, 0xE7, 0x2B, 0x31, 0x24, 0x72, 0x1D, 0x4A, 0x26, 0xC0,
+	0x4E, 0x53, 0xA7, 0x5E, 0x30, 0xE7, 0x3A, 0x7A, 0x9C, 0x4A, 0x95, 0xD9, 0x1C, 0x55, 0xD4, 0x95,
+	0xE9, 0xF5, 0x1D, 0xD0, 0xB5, 0xE9, 0xD8, 0x3C, 0x6D, 0x5E, 0x8C, 0xE8, 0x03, 0xAA, 0x62, 0xB8,
+	0xD6, 0x54, 0xDB, 0x53, 0xD0, 0x9B, 0x8D, 0xCF, 0xF2, 0x73, 0xCD, 0xFE, 0xB5, 0x73, 0xFA, 0xD8,
+	0xBC, 0xD4, 0x55, 0x78, 0xBE, 0xC2, 0xE7, 0x70, 0xD0, 0x1E, 0xFD, 0xE8, 0x6E, 0x72, 0x1A, 0x3F,
+	0x7C, 0x6C, 0xCE, 0x27, 0x5D, 0xAB, 0xE6, 0xE2, 0x14, 0x3F, 0x1A, 0xF1, 0x8D, 0xA7, 0xEF, 0xDD,
+	0xC4, 0xC7, 0xB7, 0x0B, 0x5E, 0x34, 0x5D, 0xB9, 0x3C, 0xC9, 0x36, 0xBE, 0xA3, 0x23, 0x49, 0x1C,
+	0xCB, 0x38, 0xA3, 0x88, 0xF5, 0x46, 0xA9, 0xFF, 0x00, 0xDD, 0x4E, 0x13, 0x00, 0xB9, 0xB2, 0x15,
+	0x3D, 0x20, 0x41, 0xD2, 0x05, 0xB4, 0x43, 0xE4, 0x1B, 0x45, 0xA6, 0x53, 0xF2, 0xA5, 0xC4, 0x49,
+	0x2C, 0x1A, 0xDD, 0x54, 0x45, 0x12, 0xDD, 0xA2, 0x52, 0x98, 0x33, 0x46, 0x2B, 0x71, 0xA4, 0x1A,
+	0x45, 0xBE, 0x97, 0x29, 0x0B, 0x6F]
+
+const empty_message_shake256 = [u8(0x46), 0xB9, 0xDD, 0x2B, 0x0B, 0xA8, 0x8D, 0x13, 0x23, 0x3B,
+	0x3F, 0xEB, 0x74, 0x3E, 0xEB, 0x24, 0x3F, 0xCD, 0x52, 0xEA, 0x62, 0xB8, 0x1B, 0x82, 0xB5, 0x0C,
+	0x27, 0x64, 0x6E, 0xD5, 0x76, 0x2F, 0xD7, 0x5D, 0xC4, 0xDD, 0xD8, 0xC0, 0xF2, 0x00, 0xCB, 0x05,
+	0x01, 0x9D, 0x67, 0xB5, 0x92, 0xF6, 0xFC, 0x82, 0x1C, 0x49, 0x47, 0x9A, 0xB4, 0x86, 0x40, 0x29,
+	0x2E, 0xAC, 0xB3, 0xB7, 0xC4, 0xBE, 0x14, 0x1E, 0x96, 0x61, 0x6F, 0xB1, 0x39, 0x57, 0x69, 0x2C,
+	0xC7, 0xED, 0xD0, 0xB4, 0x5A, 0xE3, 0xDC, 0x07, 0x22, 0x3C, 0x8E, 0x92, 0x93, 0x7B, 0xEF, 0x84,
+	0xBC, 0x0E, 0xAB, 0x86, 0x28, 0x53, 0x34, 0x9E, 0xC7, 0x55, 0x46, 0xF5, 0x8F, 0xB7, 0xC2, 0x77,
+	0x5C, 0x38, 0x46, 0x2C, 0x50, 0x10, 0xD8, 0x46, 0xC1, 0x85, 0xC1, 0x51, 0x11, 0xE5, 0x95, 0x52,
+	0x2A, 0x6B, 0xCD, 0x16, 0xCF, 0x86, 0xF3, 0xD1, 0x22, 0x10, 0x9E, 0x3B, 0x1F, 0xDD, 0x94, 0x3B,
+	0x6A, 0xEC, 0x46, 0x8A, 0x2D, 0x62, 0x1A, 0x7C, 0x06, 0xC6, 0xA9, 0x57, 0xC6, 0x2B, 0x54, 0xDA,
+	0xFC, 0x3B, 0xE8, 0x75, 0x67, 0xD6, 0x77, 0x23, 0x13, 0x95, 0xF6, 0x14, 0x72, 0x93, 0xB6, 0x8C,
+	0xEA, 0xB7, 0xA9, 0xE0, 0xC5, 0x8D, 0x86, 0x4E, 0x8E, 0xFD, 0xE4, 0xE1, 0xB9, 0xA4, 0x6C, 0xBE,
+	0x85, 0x47, 0x13, 0x67, 0x2F, 0x5C, 0xAA, 0xAE, 0x31, 0x4E, 0xD9, 0x08, 0x3D, 0xAB, 0x4B, 0x09,
+	0x9F, 0x8E, 0x30, 0x0F, 0x01, 0xB8, 0x65, 0x0F, 0x1F, 0x4B, 0x1D, 0x8F, 0xCF, 0x3F, 0x3C, 0xB5,
+	0x3F, 0xB8, 0xE9, 0xEB, 0x2E, 0xA2, 0x03, 0xBD, 0xC9, 0x70, 0xF5, 0x0A, 0xE5, 0x54, 0x28, 0xA9,
+	0x1F, 0x7F, 0x53, 0xAC, 0x26, 0x6B, 0x28, 0x41, 0x9C, 0x37, 0x78, 0xA1, 0x5F, 0xD2, 0x48, 0xD3,
+	0x39, 0xED, 0xE7, 0x85, 0xFB, 0x7F, 0x5A, 0x1A, 0xAA, 0x96, 0xD3, 0x13, 0xEA, 0xCC, 0x89, 0x09,
+	0x36, 0xC1, 0x73, 0xCD, 0xCD, 0x0F, 0xAB, 0x88, 0x2C, 0x45, 0x75, 0x5F, 0xEB, 0x3A, 0xED, 0x96,
+	0xD4, 0x77, 0xFF, 0x96, 0x39, 0x0B, 0xF9, 0xA6, 0x6D, 0x13, 0x68, 0xB2, 0x08, 0xE2, 0x1F, 0x7C,
+	0x10, 0xD0, 0x4A, 0x3D, 0xBD, 0x4E, 0x36, 0x06, 0x33, 0xE5, 0xDB, 0x4B, 0x60, 0x26, 0x01, 0xC1,
+	0x4C, 0xEA, 0x73, 0x7D, 0xB3, 0xDC, 0xF7, 0x22, 0x63, 0x2C, 0xC7, 0x78, 0x51, 0xCB, 0xDD, 0xE2,
+	0xAA, 0xF0, 0xA3, 0x3A, 0x07, 0xB3, 0x73, 0x44, 0x5D, 0xF4, 0x90, 0xCC, 0x8F, 0xC1, 0xE4, 0x16,
+	0x0F, 0xF1, 0x18, 0x37, 0x8F, 0x11, 0xF0, 0x47, 0x7D, 0xE0, 0x55, 0xA8, 0x1A, 0x9E, 0xDA, 0x57,
+	0xA4, 0xA2, 0xCF, 0xB0, 0xC8, 0x39, 0x29, 0xD3, 0x10, 0x91, 0x2F, 0x72, 0x9E, 0xC6, 0xCF, 0xA3,
+	0x6C, 0x6A, 0xC6, 0xA7, 0x58, 0x37, 0x14, 0x30, 0x45, 0xD7, 0x91, 0xCC, 0x85, 0xEF, 0xF5, 0xB2,
+	0x19, 0x32, 0xF2, 0x38, 0x61, 0xBC, 0xF2, 0x3A, 0x52, 0xB5, 0xDA, 0x67, 0xEA, 0xF7, 0xBA, 0xAE,
+	0x0F, 0x5F, 0xB1, 0x36, 0x9D, 0xB7, 0x8F, 0x3A, 0xC4, 0x5F, 0x8C, 0x4A, 0xC5, 0x67, 0x1D, 0x85,
+	0x73, 0x5C, 0xDD, 0xDB, 0x09, 0xD2, 0xB1, 0xE3, 0x4A, 0x1F, 0xC0, 0x66, 0xFF, 0x4A, 0x16, 0x2C,
+	0xB2, 0x63, 0xD6, 0x54, 0x12, 0x74, 0xAE, 0x2F, 0xCC, 0x86, 0x5F, 0x61, 0x8A, 0xBE, 0x27, 0xC1,
+	0x24, 0xCD, 0x8B, 0x07, 0x4C, 0xCD, 0x51, 0x63, 0x01, 0xB9, 0x18, 0x75, 0x82, 0x4D, 0x09, 0x95,
+	0x8F, 0x34, 0x1E, 0xF2, 0x74, 0xBD, 0xAB, 0x0B, 0xAE, 0x31, 0x63, 0x39, 0x89, 0x43, 0x04, 0xE3,
+	0x58, 0x77, 0xB0, 0xC2, 0x8A, 0x9B, 0x1F, 0xD1, 0x66, 0xC7, 0x96, 0xB9, 0xCC, 0x25, 0x8A, 0x06,
+	0x4A, 0x8F, 0x57, 0xE2, 0x7F, 0x2A]
+
+fn test_0_length_xof() {
+	input := []u8{}
+
+	output_128 := shake128(input, 512)
+	assert output_128 == sha3.empty_message_shake128
+
+	output_256 := shake256(input, 512)
+	assert output_256 == sha3.empty_message_shake256
+}
+
+const test_200_message_shake128 = [u8(0x13), 0x1A, 0xB8, 0xD2, 0xB5, 0x94, 0x94, 0x6B, 0x9C, 0x81,
+	0x33, 0x3F, 0x9B, 0xB6, 0xE0, 0xCE, 0x75, 0xC3, 0xB9, 0x31, 0x04, 0xFA, 0x34, 0x69, 0xD3, 0x91,
+	0x74, 0x57, 0x38, 0x5D, 0xA0, 0x37, 0xCF, 0x23, 0x2E, 0xF7, 0x16, 0x4A, 0x6D, 0x1E, 0xB4, 0x48,
+	0xC8, 0x90, 0x81, 0x86, 0xAD, 0x85, 0x2D, 0x3F, 0x85, 0xA5, 0xCF, 0x28, 0xDA, 0x1A, 0xB6, 0xFE,
+	0x34, 0x38, 0x17, 0x19, 0x78, 0x46, 0x7F, 0x1C, 0x05, 0xD5, 0x8C, 0x7E, 0xF3, 0x8C, 0x28, 0x4C,
+	0x41, 0xF6, 0xC2, 0x22, 0x1A, 0x76, 0xF1, 0x2A, 0xB1, 0xC0, 0x40, 0x82, 0x66, 0x02, 0x50, 0x80,
+	0x22, 0x94, 0xFB, 0x87, 0x18, 0x02, 0x13, 0xFD, 0xEF, 0x5B, 0x0E, 0xCB, 0x7D, 0xF5, 0x0C, 0xA1,
+	0xF8, 0x55, 0x5B, 0xE1, 0x4D, 0x32, 0xE1, 0x0F, 0x6E, 0xDC, 0xDE, 0x89, 0x2C, 0x09, 0x42, 0x4B,
+	0x29, 0xF5, 0x97, 0xAF, 0xC2, 0x70, 0xC9, 0x04, 0x55, 0x6B, 0xFC, 0xB4, 0x7A, 0x7D, 0x40, 0x77,
+	0x8D, 0x39, 0x09, 0x23, 0x64, 0x2B, 0x3C, 0xBD, 0x05, 0x79, 0xE6, 0x09, 0x08, 0xD5, 0xA0, 0x00,
+	0xC1, 0xD0, 0x8B, 0x98, 0xEF, 0x93, 0x3F, 0x80, 0x64, 0x45, 0xBF, 0x87, 0xF8, 0xB0, 0x09, 0xBA,
+	0x9E, 0x94, 0xF7, 0x26, 0x61, 0x22, 0xED, 0x7A, 0xC2, 0x4E, 0x5E, 0x26, 0x6C, 0x42, 0xA8, 0x2F,
+	0xA1, 0xBB, 0xEF, 0xB7, 0xB8, 0xDB, 0x00, 0x66, 0xE1, 0x6A, 0x85, 0xE0, 0x49, 0x3F, 0x07, 0xDF,
+	0x48, 0x09, 0xAE, 0xC0, 0x84, 0xA5, 0x93, 0x74, 0x8A, 0xC3, 0xDD, 0xE5, 0xA6, 0xD7, 0xAA, 0xE1,
+	0xE8, 0xB6, 0xE5, 0x35, 0x2B, 0x2D, 0x71, 0xEF, 0xBB, 0x47, 0xD4, 0xCA, 0xEE, 0xD5, 0xE6, 0xD6,
+	0x33, 0x80, 0x5D, 0x2D, 0x32, 0x3E, 0x6F, 0xD8, 0x1B, 0x46, 0x84, 0xB9, 0x3A, 0x26, 0x77, 0xD4,
+	0x5E, 0x74, 0x21, 0xC2, 0xC6, 0xAE, 0xA2, 0x59, 0xB8, 0x55, 0xA6, 0x98, 0xFD, 0x7D, 0x13, 0x47,
+	0x7A, 0x1F, 0xE5, 0x3E, 0x5A, 0x4A, 0x61, 0x97, 0xDB, 0xEC, 0x5C, 0xE9, 0x5F, 0x50, 0x5B, 0x52,
+	0x0B, 0xCD, 0x95, 0x70, 0xC4, 0xA8, 0x26, 0x5A, 0x7E, 0x01, 0xF8, 0x9C, 0x0C, 0x00, 0x2C, 0x59,
+	0xBF, 0xEC, 0x6C, 0xD4, 0xA5, 0xC1, 0x09, 0x25, 0x89, 0x53, 0xEE, 0x5E, 0xE7, 0x0C, 0xD5, 0x77,
+	0xEE, 0x21, 0x7A, 0xF2, 0x1F, 0xA7, 0x01, 0x78, 0xF0, 0x94, 0x6C, 0x9B, 0xF6, 0xCA, 0x87, 0x51,
+	0x79, 0x34, 0x79, 0xF6, 0xB5, 0x37, 0x73, 0x7E, 0x40, 0xB6, 0xED, 0x28, 0x51, 0x1D, 0x8A, 0x2D,
+	0x7E, 0x73, 0xEB, 0x75, 0xF8, 0xDA, 0xAC, 0x91, 0x2F, 0xF9, 0x06, 0xE0, 0xAB, 0x95, 0x5B, 0x08,
+	0x3B, 0xAC, 0x45, 0xA8, 0xE5, 0xE9, 0xB7, 0x44, 0xC8, 0x50, 0x6F, 0x37, 0xE9, 0xB4, 0xE7, 0x49,
+	0xA1, 0x84, 0xB3, 0x0F, 0x43, 0xEB, 0x18, 0x8D, 0x85, 0x5F, 0x1B, 0x70, 0xD7, 0x1F, 0xF3, 0xE5,
+	0x0C, 0x53, 0x7A, 0xC1, 0xB0, 0xF8, 0x97, 0x4F, 0x0F, 0xE1, 0xA6, 0xAD, 0x29, 0x5B, 0xA4, 0x2F,
+	0x6A, 0xEC, 0x74, 0xD1, 0x23, 0xA7, 0xAB, 0xED, 0xDE, 0x6E, 0x2C, 0x07, 0x11, 0xCA, 0xB3, 0x6B,
+	0xE5, 0xAC, 0xB1, 0xA5, 0xA1, 0x1A, 0x4B, 0x1D, 0xB0, 0x8B, 0xA6, 0x98, 0x2E, 0xFC, 0xCD, 0x71,
+	0x69, 0x29, 0xA7, 0x74, 0x1C, 0xFC, 0x63, 0xAA, 0x44, 0x35, 0xE0, 0xB6, 0x9A, 0x90, 0x63, 0xE8,
+	0x80, 0x79, 0x5C, 0x3D, 0xC5, 0xEF, 0x32, 0x72, 0xE1, 0x1C, 0x49, 0x7A, 0x91, 0xAC, 0xF6, 0x99,
+	0xFE, 0xFE, 0xE2, 0x06, 0x22, 0x7A, 0x44, 0xC9, 0xFB, 0x35, 0x9F, 0xD5, 0x6A, 0xC0, 0xA9, 0xA7,
+	0x5A, 0x74, 0x3C, 0xFF, 0x68, 0x62, 0xF1, 0x7D, 0x72, 0x59, 0xAB, 0x07, 0x52, 0x16, 0xC0, 0x69,
+	0x95, 0x11, 0x64, 0x3B, 0x64, 0x39]
+
+const test_200_message_shake256 = [u8(0xCD), 0x8A, 0x92, 0x0E, 0xD1, 0x41, 0xAA, 0x04, 0x07, 0xA2,
+	0x2D, 0x59, 0x28, 0x86, 0x52, 0xE9, 0xD9, 0xF1, 0xA7, 0xEE, 0x0C, 0x1E, 0x7C, 0x1C, 0xA6, 0x99,
+	0x42, 0x4D, 0xA8, 0x4A, 0x90, 0x4D, 0x2D, 0x70, 0x0C, 0xAA, 0xE7, 0x39, 0x6E, 0xCE, 0x96, 0x60,
+	0x44, 0x40, 0x57, 0x7D, 0xA4, 0xF3, 0xAA, 0x22, 0xAE, 0xB8, 0x85, 0x7F, 0x96, 0x1C, 0x4C, 0xD8,
+	0xE0, 0x6F, 0x0A, 0xE6, 0x61, 0x0B, 0x10, 0x48, 0xA7, 0xF6, 0x4E, 0x10, 0x74, 0xCD, 0x62, 0x9E,
+	0x85, 0xAD, 0x75, 0x66, 0x04, 0x8E, 0xFC, 0x4F, 0xB5, 0x00, 0xB4, 0x86, 0xA3, 0x30, 0x9A, 0x8F,
+	0x26, 0x72, 0x4C, 0x0E, 0xD6, 0x28, 0x00, 0x1A, 0x10, 0x99, 0x42, 0x24, 0x68, 0xDE, 0x72, 0x6F,
+	0x10, 0x61, 0xD9, 0x9E, 0xB9, 0xE9, 0x36, 0x04, 0xD5, 0xAA, 0x74, 0x67, 0xD4, 0xB1, 0xBD, 0x64,
+	0x84, 0x58, 0x2A, 0x38, 0x43, 0x17, 0xD7, 0xF4, 0x7D, 0x75, 0x0B, 0x8F, 0x54, 0x99, 0x51, 0x2B,
+	0xB8, 0x5A, 0x22, 0x6C, 0x42, 0x43, 0x55, 0x6E, 0x69, 0x6F, 0x6B, 0xD0, 0x72, 0xC5, 0xAA, 0x2D,
+	0x9B, 0x69, 0x73, 0x02, 0x44, 0xB5, 0x68, 0x53, 0xD1, 0x69, 0x70, 0xAD, 0x81, 0x7E, 0x21, 0x3E,
+	0x47, 0x06, 0x18, 0x17, 0x80, 0x01, 0xC9, 0xFB, 0x56, 0xC5, 0x4F, 0xEF, 0xA5, 0xFE, 0xE6, 0x7D,
+	0x2D, 0xA5, 0x24, 0xBB, 0x3B, 0x0B, 0x61, 0xEF, 0x0E, 0x91, 0x14, 0xA9, 0x2C, 0xDB, 0xB6, 0xCC,
+	0xCB, 0x98, 0x61, 0x5C, 0xFE, 0x76, 0xE3, 0x51, 0x0D, 0xD8, 0x8D, 0x1C, 0xC2, 0x8F, 0xF9, 0x92,
+	0x87, 0x51, 0x2F, 0x24, 0xBF, 0xAF, 0xA1, 0xA7, 0x68, 0x77, 0xB6, 0xF3, 0x71, 0x98, 0xE3, 0xA6,
+	0x41, 0xC6, 0x8A, 0x7C, 0x42, 0xD4, 0x5F, 0xA7, 0xAC, 0xC1, 0x0D, 0xAE, 0x5F, 0x3C, 0xEF, 0xB7,
+	0xB7, 0x35, 0xF1, 0x2D, 0x4E, 0x58, 0x9F, 0x7A, 0x45, 0x6E, 0x78, 0xC0, 0xF5, 0xE4, 0xC4, 0x47,
+	0x1F, 0xFF, 0xA5, 0xE4, 0xFA, 0x05, 0x14, 0xAE, 0x97, 0x4D, 0x8C, 0x26, 0x48, 0x51, 0x3B, 0x5D,
+	0xB4, 0x94, 0xCE, 0xA8, 0x47, 0x15, 0x6D, 0x27, 0x7A, 0xD0, 0xE1, 0x41, 0xC2, 0x4C, 0x78, 0x39,
+	0x06, 0x4C, 0xD0, 0x88, 0x51, 0xBC, 0x2E, 0x7C, 0xA1, 0x09, 0xFD, 0x4E, 0x25, 0x1C, 0x35, 0xBB,
+	0x0A, 0x04, 0xFB, 0x05, 0xB3, 0x64, 0xFF, 0x8C, 0x4D, 0x8B, 0x59, 0xBC, 0x30, 0x3E, 0x25, 0x32,
+	0x8C, 0x09, 0xA8, 0x82, 0xE9, 0x52, 0x51, 0x8E, 0x1A, 0x8A, 0xE0, 0xFF, 0x26, 0x5D, 0x61, 0xC4,
+	0x65, 0x89, 0x69, 0x73, 0xD7, 0x49, 0x04, 0x99, 0xDC, 0x63, 0x9F, 0xB8, 0x50, 0x2B, 0x39, 0x45,
+	0x67, 0x91, 0xB1, 0xB6, 0xEC, 0x5B, 0xCC, 0x5D, 0x9A, 0xC3, 0x6A, 0x6D, 0xF6, 0x22, 0xA0, 0x70,
+	0xD4, 0x3F, 0xED, 0x78, 0x1F, 0x5F, 0x14, 0x9F, 0x7B, 0x62, 0x67, 0x5E, 0x7D, 0x1A, 0x4D, 0x6D,
+	0xEC, 0x48, 0xC1, 0xC7, 0x16, 0x45, 0x86, 0xEA, 0xE0, 0x6A, 0x51, 0x20, 0x8C, 0x0B, 0x79, 0x12,
+	0x44, 0xD3, 0x07, 0x72, 0x65, 0x05, 0xC3, 0xAD, 0x4B, 0x26, 0xB6, 0x82, 0x23, 0x77, 0x25, 0x7A,
+	0xA1, 0x52, 0x03, 0x75, 0x60, 0xA7, 0x39, 0x71, 0x4A, 0x3C, 0xA7, 0x9B, 0xD6, 0x05, 0x54, 0x7C,
+	0x9B, 0x78, 0xDD, 0x1F, 0x59, 0x6F, 0x2D, 0x4F, 0x17, 0x91, 0xBC, 0x68, 0x9A, 0x0E, 0x9B, 0x79,
+	0x9A, 0x37, 0x33, 0x9C, 0x04, 0x27, 0x57, 0x33, 0x74, 0x01, 0x43, 0xEF, 0x5D, 0x2B, 0x58, 0xB9,
+	0x6A, 0x36, 0x3D, 0x4E, 0x08, 0x07, 0x6A, 0x1A, 0x9D, 0x78, 0x46, 0x43, 0x6E, 0x4D, 0xCA, 0x57,
+	0x28, 0xB6, 0xF7, 0x60, 0xEE, 0xF0, 0xCA, 0x92, 0xBF, 0x0B, 0xE5, 0x61, 0x5E, 0x96, 0x95, 0x9D,
+	0x76, 0x71, 0x97, 0xA0, 0xBE, 0xEB]
+
+fn test_200_length_xof() {
+	input := []u8{}
+
+	output_128 := shake128(sha3.input_200, 512)
+	assert output_128 == sha3.test_200_message_shake128
+
+	output_256 := shake256(sha3.input_200, 512)
+	assert output_256 == sha3.test_200_message_shake256
+}