Refactoring SHA3: based on new permutation keccak-fips

[falko-strenzke]

This PR is needed as a prerequisite of #3570.

[coveralls]

coverage: 91.717% (+0.005%) from 91.712% when pulling 85b70ed on falko-strenzke:refact-sha3 into dfe1714 on randombit:master.

[reneme]

As a sanity check I used this refactoring as the foundation for the new XOF interface (#3671). In general that seems to work nicely. Though, I'm wondering whether we should make the Keccak_FIPS implementation more generic. Most notably to allow multiple (unaligned) calls to expand(). The logic for that already exists in SHAKE_XOF::generate_bytes(). But centralizing it here, would benefit other users of Keccak_FIPS.

Unfortunately, I didn't manage to finish a thorough review today. Will look deeper into it tomorrow.

In the meantime: @randombit, could you please skim this and give feedback on the general direction of this refactoring?

I didn't manage to finish the review this morning.

[randombit]

Yeah this seems basically fine.

I'd suggest keccak_perm as the module name since keccak_fips doesn't really capture what the module is doing.

[reneme]

@falko-strenzke I'm currently working at restructuring this even further (fully removing the static functions and encapsulating the Keccak state fully). It's fairly convenient to do that in the context of the XOF implementation. I'll post a patch later, so that we can discuss. Just wanting to make sure that we don't step on each other's toes.

[reneme]

I'll post a patch later, so that we can discuss.

#3675 contains two extra patches on top of this work. One adds some convenience functions to the internal BufferSlicer and BufferStuffer helpers. The other smoothens out the edges on the Keccak refactoring and addresses the comments in this PR. Details can be found in the description of #3675.

@falko-strenzke, I hope you'll excuse me for having taken this PR over like that. I suggest that you take my patches, squash the changes as you see fit and update this PR for merging. #3675 can then be closed.

[falko-strenzke]

Yeah this seems basically fine.

I'd suggest keccak_perm as the module name since keccak_fips doesn't really capture what the module is doing.

Done.

[falko-strenzke]

@randombit now @reneme and me agree that this combined PR of ours is ready for final review

[randombit]

This looks fine, thanks.

One request before merge: please benchmark the various operations to make sure we're not introducing any major performance regression. Especially I would be concerned about Kyber as it seems very sensitive to the XOF performance.

[reneme]

	SHA-3(256)	SHA-3(512)
this pull request	436MiB/sec	221MiB/sec
latest master	426MiB/sec	227MiB/sec

... measured as the average of three runs of ./botan speed --msec=2000 "algoname". 11th Gen Intel(R) Core(TM) i7-11850H @ 2.50GHz 2.50 GHz on Windows inside a WSL2 VM.

SHA-3 is very much biased towards absorb(). I've added a benchmark for the SHAKE XOF in #3671 (comment).

[falko-strenzke]

SHA-3(256) SHA-3(512)
this pull request 436MiB/sec 221MiB/sec
latest master 426MiB/sec 227MiB/sec

... measured as the average of three runs of ./botan speed --msec=2000 "algoname"

SHA-3 is very much biased towards absorb(). I've added a benchmark for the SHAKE XOF in #3671 (comment).

I also observe a performance loss for ./botan speed --msec=2000 "SHA-3(256)", but it is in the domain of 1%, which is much less than what @reneme sees (about 3%).

	SHA-3(256)
this pull request	389 MiB/sec
master	392 MiB/sec

It is also based on the average of 3 measurements, plattform Intel(R) Core(TM) i7-1065G7 CPU,

@reneme @randombit Is this worth exploring in more detail?

[reneme]

Is this worth exploring in more detail?

I feel this deviation is within the tolerance of the measurement accuracy of this benchmark tool.

[randombit]

I feel this deviation is within the tolerance of the measurement accuracy of this benchmark tool.

Agree. I would be concerned about anything >10%, numbers here seem ok