x.crypto.ascon: improve ascon_generic_hash, cleanup (#25288)

blackshirt · web-flow · commit 50d03eb7b93b · 2025-09-13T07:59:16.000+03:00
diff --git a/vlib/x/crypto/ascon/aead128.v b/vlib/x/crypto/ascon/aead128.v
@@ -181,7 +181,7 @@ pub fn (mut c Aead128) encrypt(msg []u8, nonce []u8, ad []u8) ![]u8 {
 	c.State.e4 = n1
 
 	// Update state by permutation
-	ascon_pnr(mut c.State, ascon_prnd_12)
+	ascon_pnr(mut c.State, .ascon_prnd_12)
 	// XOR-ing with the cipher's key
 	c.State.e3 ^= c.key[0]
 	c.State.e4 ^= c.key[1]
@@ -229,7 +229,7 @@ pub fn (mut c Aead128) decrypt(ciphertext []u8, nonce []u8, ad []u8) ![]u8 {
 	c.State.e4 = n1
 
 	// scrambled with permutation routine
-	ascon_pnr(mut c.State, ascon_prnd_12)
+	ascon_pnr(mut c.State, .ascon_prnd_12)
 	// xor-ing with the cipher's key
 	c.State.e3 ^= c.key[0]
 	c.State.e4 ^= c.key[1]
@@ -288,7 +288,7 @@ fn aead128_init(mut s State, key []u8, nonce []u8) (u64, u64) {
 	s.e4 = n1
 
 	// updates State using the permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[12], S ← 𝐴𝑠𝑐𝑜𝑛-𝑝[12](S)
-	ascon_pnr(mut s, ascon_prnd_12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 
 	// Then XORing the secret key 𝐾 into the last 128 bits of internal state:
 	// S ← S ⊕ (0¹⁹² ∥ 𝐾).
@@ -312,7 +312,7 @@ fn aead128_process_ad(mut s State, ad []u8) {
 			s.e1 ^= binary.little_endian_u64(block[8..16])
 
 			// Apply permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[8] to the state
-			ascon_pnr(mut s, ascon_prnd_8)
+			ascon_pnr(mut s, .ascon_prnd_8)
 			// Updates index
 			ad_length -= aead128_block_size
 			ad_idx += aead128_block_size
@@ -339,7 +339,7 @@ fn aead128_process_ad(mut s State, ad []u8) {
 			}
 		}
 		// Apply permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[8] to the state
-		ascon_pnr(mut s, ascon_prnd_8)
+		ascon_pnr(mut s, .ascon_prnd_8)
 	}
 	// The final step of processing associated data is to update the state
 	// with a constant that provides domain separation.
@@ -361,7 +361,7 @@ fn aead128_process_msg(mut out []u8, mut s State, msg []u8) int {
 		binary.little_endian_put_u64(mut out[pos..pos + 8], s.e0)
 		binary.little_endian_put_u64(mut out[pos + 8..], s.e1)
 		// apply permutation
-		ascon_pnr(mut s, ascon_prnd_8)
+		ascon_pnr(mut s, .ascon_prnd_8)
 
 		// updates index
 		mlen -= aead128_block_size
@@ -413,7 +413,7 @@ fn aead128_partial_dec(mut out []u8, mut s State, cmsg []u8) {
 		s.e0 = c0
 		s.e1 = c1
 
-		ascon_pnr(mut s, ascon_prnd_8)
+		ascon_pnr(mut s, .ascon_prnd_8)
 		// updates index
 		pos += aead128_block_size
 		cmsg_len -= aead128_block_size
@@ -448,7 +448,7 @@ fn aead128_finalize(mut s State, k0 u64, k1 u64) {
 	s.e2 ^= k0
 	s.e3 ^= k1
 	// then updated using the permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[12]
-	ascon_pnr(mut s, ascon_prnd_12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 
 	// Finally, the tag 𝑇 is generated by XORing the key with the last 128 bits of the state:
 	// 𝑇 ← 𝑆[192∶319] ⊕ 𝐾.
diff --git a/vlib/x/crypto/ascon/ascon.v b/vlib/x/crypto/ascon/ascon.v
@@ -11,8 +11,11 @@ module ascon
 const max_nr_perm = 16
 
 // The number how many round(s) for the Ascon permutation routine called.
-const ascon_prnd_8 = 8
-const ascon_prnd_12 = 12
+enum PrndEnum {
+	ascon_prnd_6  = 6
+	ascon_prnd_8  = 8
+	ascon_prnd_12 = 12
+}
 
 // The constants to derive round constants of the Ascon permutations
 // See Table 5. of NIST SP 800-232 docs
@@ -36,16 +39,12 @@ const rnc = [u8(0x3c), 0x2d, 0x1e, 0x0f, 0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x9
 // 2. the substitution layer (see Sec.3.3), and,
 // 3. the linear diffusion layer (Sec 3.4)
 @[direct_array_access]
-fn ascon_pnr(mut s State, nr int) {
-	// We dont allow nr == 0
-	if nr < 1 || nr > 16 {
-		panic('Invalid round number')
-	}
+fn ascon_pnr(mut s State, nr PrndEnum) {
 	// Allocate temporary vars to reduce allocation within loop
 	mut x0 := u64(0)
 	mut y0 := u64(0)
 	// Ascon permutation routine
-	for i := max_nr_perm - nr; i < max_nr_perm; i++ {
+	for i := max_nr_perm - int(nr); i < max_nr_perm; i++ {
 		// 3.2 Constant-Addition Layer step
 		//
 		// The constant-addition layer adds a 64-bit round constant 𝑐𝑖
@@ -59,16 +58,10 @@ fn ascon_pnr(mut s State, nr int) {
 		s.e0 ^= s.e4
 		s.e4 ^= s.e3
 		s.e2 ^= s.e1
+
 		// Set temp vars to values
 		x0 = s.e0
 		y0 = s.e4 ^ (~s.e0 & s.e1)
-		/*
-		t0 := s.e4 ^ (~s.e0 & s.e1)
-		t1 := s.e0 ^ (~s.e1 & s.e2)
-		t2 := s.e1 ^ (~s.e2 & s.e3)
-		t3 := s.e2 ^ (~s.e3 & s.e4)
-		t4 := s.e3 ^ (~s.e4 & s.e0)
-		*/
 
 		s.e0 = s.e0 ^ (~s.e1 & s.e2) // t1
 		s.e1 = s.e1 ^ (~s.e2 & s.e3) // t2
@@ -97,11 +90,11 @@ fn ascon_pnr(mut s State, nr int) {
 		// Bits right rotation, basically can be defined as:
 		// 		ror = (x >> n) | x << (64 - n) for some u64 x
 		//
-		s.e0 ^= (s.e0 >> 19 | (s.e0 << (64 - 19))) ^ (s.e0 >> 28 | (s.e0 << (64 - 28)))
-		s.e1 ^= (s.e1 >> 61 | (s.e1 << (64 - 61))) ^ (s.e1 >> 39 | (s.e1 << (64 - 39)))
-		s.e2 ^= (s.e2 >> 1 | (s.e2 << (64 - 1))) ^ (s.e2 >> 6 | (s.e2 << (64 - 6))) // 	
-		s.e3 ^= (s.e3 >> 10 | (s.e3 << (64 - 10))) ^ (s.e3 >> 17 | (s.e3 << (64 - 17)))
-		s.e4 ^= (s.e4 >> 7 | (s.e4 << (64 - 7))) ^ (s.e4 >> 41 | (s.e4 << (64 - 41)))
+		s.e0 ^= (s.e0 >> 19 | s.e0 << 45) ^ (s.e0 >> 28 | s.e0 << 36)
+		s.e1 ^= (s.e1 >> 61 | s.e1 << 3) ^ (s.e1 >> 39 | s.e1 << 25)
+		s.e2 ^= (s.e2 >> 1 | s.e2 << 63) ^ (s.e2 >> 6 | s.e2 << 58)
+		s.e3 ^= (s.e3 >> 10 | s.e3 << 54) ^ (s.e3 >> 17 | s.e3 << 47)
+		s.e4 ^= (s.e4 >> 7 | s.e4 << 57) ^ (s.e4 >> 41 | s.e4 << 23)
 	}
 }
 
diff --git a/vlib/x/crypto/ascon/ascon_test.v b/vlib/x/crypto/ascon/ascon_test.v
@@ -13,7 +13,7 @@ fn test_ascon_round_p6() {
 		e3: 0xabcdef0123456789
 		e4: 0x89abcdef01234567
 	}
-	ascon_pnr(mut s, 6)
+	ascon_pnr(mut s, .ascon_prnd_6)
 	assert s.e0 == u64(0xc27b505c635eb07f)
 	assert s.e1 == u64(0xd388f5d2a72046fa)
 	assert s.e2 == u64(0x9e415c204d7b15e7)
@@ -29,7 +29,7 @@ fn test_ascon_round_p8() {
 		e3: 0xabcdef0123456789
 		e4: 0x89abcdef01234567
 	}
-	ascon_pnr(mut s, 8)
+	ascon_pnr(mut s, .ascon_prnd_8)
 	assert s.e0 == u64(0x67ed228272f46eee)
 	assert s.e1 == u64(0x80bc0b097aad7944)
 	assert s.e2 == u64(0x2fa599382c6db215)
@@ -45,7 +45,7 @@ fn test_ascon_round_p12() {
 		e3: 0xabcdef0123456789
 		e4: 0x89abcdef01234567
 	}
-	ascon_pnr(mut s, 12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 	assert s.e0 == u64(0x206416dfc624bb14)
 	assert s.e1 == u64(0x1b0c47a601058aab)
 	assert s.e2 == u64(0x8934cfc93814cddd)
diff --git a/vlib/x/crypto/ascon/digest.v b/vlib/x/crypto/ascon/digest.v
@@ -33,7 +33,7 @@ fn (mut d Digest) finish() {
 	d.State.e0 ^= load_bytes(d.buf[..d.length], d.length)
 
 	// Permutation step was done in squeezing-phase
-	// ascon_pnr(mut d.State, ascon_prnd_12)
+	// ascon_pnr(mut d.State, .ascon_prnd_12)
 
 	// zeroing Digest buffer
 	d.length = 0
@@ -70,7 +70,7 @@ fn (mut d Digest) absorb(msg_ []u8) int {
 				// If this d.buf length has reached block_size bytes, absorb it.
 				if d.length == block_size {
 					d.State.e0 ^= binary.little_endian_u64(d.buf)
-					ascon_pnr(mut d.State, ascon_prnd_12)
+					ascon_pnr(mut d.State, .ascon_prnd_12)
 					// reset the internal buffer
 					d.length = 0
 					d.buf.reset()
@@ -87,7 +87,7 @@ fn (mut d Digest) absorb(msg_ []u8) int {
 		for msg.len >= block_size {
 			d.State.e0 ^= binary.little_endian_u64(msg[0..block_size])
 			msg = msg[block_size..]
-			ascon_pnr(mut d.State, ascon_prnd_12)
+			ascon_pnr(mut d.State, .ascon_prnd_12)
 		}
 		// If there are partial block, just stored into buffer.
 		if msg.len > 0 {
@@ -113,14 +113,14 @@ fn (mut d Digest) squeeze(mut dst []u8) int {
 	}
 	// The squeezing phase begins after msg is absorbed with an
 	// permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[12] to the state:
-	ascon_pnr(mut d.State, ascon_prnd_12)
+	ascon_pnr(mut d.State, .ascon_prnd_12)
 
 	mut pos := 0
 	mut clen := dst.len
 	// process for full block size
 	for clen >= block_size {
 		binary.little_endian_put_u64(mut dst[pos..pos + 8], d.State.e0)
-		ascon_pnr(mut d.State, ascon_prnd_12)
+		ascon_pnr(mut d.State, .ascon_prnd_12)
 		pos += block_size
 		clen -= block_size
 	}
@@ -144,10 +144,11 @@ fn ascon_generic_hash(mut s State, msg []u8, size int) []u8 {
 	if _likely_(msg.len > 0) {
 		mut msg_len := msg.len
 		for msg_len >= block_size {
-			s.e0 ^= binary.little_endian_u64(msg[pos..pos + block_size])
+			block := unsafe { msg[pos..pos + block_size] }
+			s.e0 ^= binary.little_endian_u64(block)
 			pos += block_size
 			msg_len -= block_size
-			ascon_pnr(mut s, ascon_prnd_12)
+			ascon_pnr(mut s, .ascon_prnd_12)
 		}
 		// Absorb the last partial message block
 		last_block := unsafe { msg[pos..] }
@@ -166,12 +167,12 @@ fn ascon_generic_hash(mut s State, msg []u8, size int) []u8 {
 	//
 	// The squeezing phase begins after msg is absorbed with an
 	// permutation 𝐴𝑠𝑐𝑜𝑛-𝑝[12] to the state:
-	ascon_pnr(mut s, ascon_prnd_12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 	mut out := []u8{len: size}
 	mut clen := out.len
 	for clen >= block_size {
 		binary.little_endian_put_u64(mut out[pos..pos + 8], s.e0)
-		ascon_pnr(mut s, ascon_prnd_12)
+		ascon_pnr(mut s, .ascon_prnd_12)
 		pos += block_size
 		clen -= block_size
 	}
diff --git a/vlib/x/crypto/ascon/xof.v b/vlib/x/crypto/ascon/xof.v
@@ -300,15 +300,15 @@ pub fn (mut x CXof128) free() {
 fn cxof128_absorb_custom_string(mut s State, cs []u8) {
 	// absorb Z0, the length of the customization string (in bits) encoded as a u64
 	s.e0 ^= u64(cs.len) << 3
-	ascon_pnr(mut s, ascon_prnd_12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 
 	// absorb the customization string
 	mut zlen := cs.len
 	mut zidx := 0
 	for zlen >= block_size {
 		block := unsafe { cs[zidx..zidx + block_size] }
 		s.e0 ^= binary.little_endian_u64(block)
-		ascon_pnr(mut s, ascon_prnd_12)
+		ascon_pnr(mut s, .ascon_prnd_12)
 
 		// updates a index
 		zlen -= block_size
@@ -318,5 +318,5 @@ fn cxof128_absorb_custom_string(mut s State, cs []u8) {
 	last_block := unsafe { cs[zidx..] }
 	s.e0 ^= load_bytes(last_block, last_block.len)
 	s.e0 ^= pad(last_block.len)
-	ascon_pnr(mut s, ascon_prnd_12)
+	ascon_pnr(mut s, .ascon_prnd_12)
 }
