Sync with updated version from PQClean

docs/algorithms/sig_sphincs.md

@@ -46,7 +46,7 @@ Implementation
 --------------
 
 - **Source of implementation:** https://github.com/PQClean/PQClean
-- **Implementation version:** https://github.com/PQClean/PQClean/commit/4f19ea25d04ac89d4aa140509ff251a9ca95c006
+- **Implementation version:** https://github.com/PQClean/PQClean/commit/83c974e45b7ddca7832c8c6edd895e7d26d03351
 - **License:** CC0 1.0 Universal
 - **Language:** C
 - **Constant-time:** Yes

src/sig/sphincs/pqclean_sphincs-haraka-128f-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-128f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-128f-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-128f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-128s-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-128s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-128s-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-128s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-192f-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-192f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-192f-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-192f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-192s-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-192s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-192s-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-192s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-256f-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-256f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-256f-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-256f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-256s-robust_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-256s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-haraka-256s-simple_clean/hash_haraka.c

@@ -72,7 +72,7 @@ void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_hash_message(
 
     PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_init(s_inc);
     PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, SPX_N, hash_state_seeded);
-    PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk, SPX_PK_BYTES, hash_state_seeded);
+    PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + SPX_N, SPX_N, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded);
     PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc);
     PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, SPX_DGST_BYTES, s_inc, hash_state_seeded);

src/sig/sphincs/pqclean_sphincs-haraka-256s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "haraka.h"
 #define hash_state harakactx

src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-128f-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256128FROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-128f-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256128FSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-128s-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256128SROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-128s-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256128SSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-192f-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256192FROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-192f-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256192FSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-192s-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256192SROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-192s-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256192SSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-256f-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256256FROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-256f-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256256FSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-256s-robust_clean/thash_sha256_robust.c

@@ -28,7 +28,7 @@ static void PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_thash(
     PQCLEAN_SPHINCSSHA256256SROBUST_CLEAN_mgf1(bitmask, inblocks * SPX_N, buf, SPX_N + SPX_SHA256_ADDR_BYTES);
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     for (i = 0; i < inblocks * SPX_N; i++) {
         buf[SPX_N + SPX_SHA256_ADDR_BYTES + i] = in[i] ^ bitmask[i];

src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 #include "sha2.h"
 #define hash_state sha256ctx

src/sig/sphincs/pqclean_sphincs-sha256-256s-simple_clean/thash_sha256_simple.c

@@ -23,7 +23,7 @@ static void PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_thash(
     (void)pub_seed; /* Suppress an 'unused parameter' warning. */
 
     /* Retrieve precomputed state containing pub_seed */
-    sha256_inc_dupe_state(&sha2_state, hash_state_seeded);
+    sha256_inc_clone_state(&sha2_state, hash_state_seeded);
 
     PQCLEAN_SPHINCSSHA256256SSIMPLE_CLEAN_compress_address(buf, addr);
     memcpy(buf + SPX_SHA256_ADDR_BYTES, in, inblocks * SPX_N);

src/sig/sphincs/pqclean_sphincs-shake256-128f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-128f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-128s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-128s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-192f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-192f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-192s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-192s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-256f-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-256f-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-256s-robust_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int

src/sig/sphincs/pqclean_sphincs-shake256-256s-simple_clean/hash_state.h

@@ -1,5 +1,26 @@
-#ifndef SPX_PRIMITIVE_H
-#define SPX_PRIMITIVE_H
+#ifndef SPX_HASH_STATE_H
+#define SPX_HASH_STATE_H
+
+/**
+ * Defines the type of the hash function state.
+ *
+ * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless!
+ *
+ * From Section 7.2.2 from the SPHINCS+ round-2 specification:
+ *
+ * Each of the instances of the tweakable hash function take PK.seed as its
+ * first input, which is constant for a given key pair – and, thus, across
+ * a single signature. This leads to a lot of redundant computation. To remedy
+ * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block.
+ * Because of the Merkle-Damgård construction that underlies SHA-256, this
+ * allows for reuse of the intermediate SHA-256 state after the initial call to
+ * the compression function which improves performance.
+ *
+ * SHAKE256 does not need this state. Because this implementation is generated
+ * from a shared code base, we still need to specify some hash_state as it is
+ * still passed around. We chose to use an `int` as a placeholder for this
+ * purpose.
+ */
 
 
 #define hash_state int