Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8320192

SHAKE256 does not work correctly if n >= 137

    XMLWordPrintable

Details

    • b25
    • Verified

    Description

      The internal SHAKE256 class fails the NIST CAVP test when n reaches 137. The following program succeeds in the 1st check but fails the 2nd one.

      import sun.security.provider.SHAKE256;

      import java.util.Arrays;
      import java.util.HexFormat;

      public class A2 {
          public static void main(String[] args) throws Exception {
              //https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/sha3/shakebytetestvectors.zip
              //SHAKE256VariableOut.rsp:
              //3380: COUNT = 674
              //3381: Outputlen = 1088
              //3382: Msg = 6ae23f058f0f2264a18cd609acc26dd4dbc00f5c3ee9e13ecaea2bb5a2f0bb6b
              //3383: Output = b9b92544fb25cfe4ec6fe437d8da2bbe00f7bdaface3de97b8775a44d753c3adca3f7c6f183cc8647e229070439aa9539ae1f8f13470c9d3527fffdeef6c94f9f0520ff0c1ba8b16e16014e1af43ac6d94cb7929188cce9d7b02f81a2746f52ba16988e5f6d93298d778dfe05ea0ef256ae3728643ce3e29c794a0370e9ca6a8bf3e7a41e8677067
              //3384:
              //3385: COUNT = 675
              //3386: Outputlen = 1096
              //3387: Msg = 8d8001e2c096f1b88e7c9224a086efd4797fbf74a8033a2d422a2b6b8f6747e4
              //3388: Output = 2e975f6a8a14f0704d51b13667d8195c219f71e6345696c49fa4b9d08e9225d3d39393425152c97e71dd24601c11abcfa0f12f53c680bd3ae757b8134a9c10d429615869217fdd5885c4db174985703a6d6de94a667eac3023443a8337ae1bc601b76d7d38ec3c34463105f0d3949d78e562a039e4469548b609395de5a4fd43c46ca9fd6ee29ada5e
              var s = new SHAKE256(1088/8);
              var msg = HexFormat.of().parseHex("6ae23f058f0f2264a18cd609acc26dd4dbc00f5c3ee9e13ecaea2bb5a2f0bb6b");
              var output = HexFormat.of().parseHex("b9b92544fb25cfe4ec6fe437d8da2bbe00f7bdaface3de97b8775a44d753c3adca3f7c6f183cc8647e229070439aa9539ae1f8f13470c9d3527fffdeef6c94f9f0520ff0c1ba8b16e16014e1af43ac6d94cb7929188cce9d7b02f81a2746f52ba16988e5f6d93298d778dfe05ea0ef256ae3728643ce3e29c794a0370e9ca6a8bf3e7a41e8677067");
              s.update(msg, 0, msg.length);
              if (!Arrays.equals(s.digest(), output)) {
                  throw new RuntimeException();
              }
              s = new SHAKE256(1096/8);
              msg = HexFormat.of().parseHex("8d8001e2c096f1b88e7c9224a086efd4797fbf74a8033a2d422a2b6b8f6747e4");
              output = HexFormat.of().parseHex("2e975f6a8a14f0704d51b13667d8195c219f71e6345696c49fa4b9d08e9225d3d39393425152c97e71dd24601c11abcfa0f12f53c680bd3ae757b8134a9c10d429615869217fdd5885c4db174985703a6d6de94a667eac3023443a8337ae1bc601b76d7d38ec3c34463105f0d3949d78e562a039e4469548b609395de5a4fd43c46ca9fd6ee29ada5e");
              s.update(msg, 0, msg.length);
              if (!Arrays.equals(s.digest(), output)) {
                  throw new RuntimeException();
              }
          }
      }

      BTW, when n > 200, the state buffer in SHA3.java does not have enough bytes and the last line of implDigest() throws an exception. It probably needs to squeeze multiple times to fullfill the output.

      Attachments

        Issue Links

          Activity

            People

              weijun Weijun Wang
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: