Migrate to closure-based keccak (#796)

newpavlov · web-flow · commit 702bcd83735a · 2026-03-06T16:58:23.000+03:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -34,3 +34,5 @@ opt-level = 2
 sha1 = { path = "sha1" }
 sha3 = { path = "sha3" }
 whirlpool = { path = "whirlpool" }
+
+keccak = { git = "https://github.com/RustCrypto/sponges" }
diff --git a/sha3/src/block_api.rs b/sha3/src/block_api.rs
@@ -1,4 +1,3 @@
-use crate::{DEFAULT_ROUND_COUNT, PLEN};
 use core::{fmt, marker::PhantomData};
 use digest::{
     HashMarker, Output,
@@ -11,22 +10,19 @@ use digest::{
     common::hazmat::{DeserializeStateError, SerializableState, SerializedState},
     typenum::{IsLessOrEqual, True, U0, U200},
 };
-use keccak::KeccakP1600;
+use keccak::{F1600_ROUNDS, Keccak, State1600};
 
 pub use crate::cshake::{CShake128Core, CShake256Core};
 
 /// Core Sha3 fixed output hasher state.
 #[derive(Clone)]
-pub struct Sha3HasherCore<
-    Rate,
-    OutputSize,
-    const PAD: u8,
-    const ROUNDS: usize = DEFAULT_ROUND_COUNT,
-> where
+pub struct Sha3HasherCore<Rate, OutputSize, const PAD: u8, const ROUNDS: usize = F1600_ROUNDS>
+where
     Rate: BlockSizes + IsLessOrEqual<U200, Output = True>,
     OutputSize: ArraySize + IsLessOrEqual<U200, Output = True>,
 {
-    state: KeccakP1600,
+    state: State1600,
+    keccak: Keccak,
     _pd: PhantomData<(Rate, OutputSize)>,
 }
 
@@ -73,10 +69,12 @@ where
 {
     #[inline]
     fn update_blocks(&mut self, blocks: &[Block<Self>]) {
-        for block in blocks {
-            xor_block(self.state.as_mut(), block);
-            self.state.p1600(ROUNDS);
-        }
+        self.keccak.with_p1600::<ROUNDS>(|p1600| {
+            for block in blocks {
+                xor_block(&mut self.state, block);
+                p1600(&mut self.state);
+            }
+        });
     }
 }
 
@@ -94,12 +92,14 @@ where
         let n = block.len();
         block[n - 1] |= 0x80;
 
-        xor_block(self.state.as_mut(), &block);
-        self.state.p1600(ROUNDS);
+        self.keccak.with_p1600::<ROUNDS>(|p1600| {
+            xor_block(&mut self.state, &block);
+            p1600(&mut self.state);
 
-        for (o, s) in out.chunks_mut(8).zip(self.state.as_mut().iter()) {
-            o.copy_from_slice(&s.to_le_bytes()[..o.len()]);
-        }
+            for (o, s) in out.chunks_mut(8).zip(self.state.as_mut().iter()) {
+                o.copy_from_slice(&s.to_le_bytes()[..o.len()]);
+            }
+        });
     }
 }
 
@@ -118,10 +118,12 @@ where
         let n = block.len();
         block[n - 1] |= 0x80;
 
-        xor_block(self.state.as_mut(), &block);
-        self.state.p1600(ROUNDS);
+        self.keccak.with_p1600::<ROUNDS>(|p1600| {
+            xor_block(&mut self.state, &block);
+            p1600(&mut self.state);
+        });
 
-        Sha3ReaderCore::new(self.state.as_ref())
+        Sha3ReaderCore::new(&self.state, self.keccak)
     }
 }
 
@@ -135,6 +137,7 @@ where
     fn default() -> Self {
         Self {
             state: Default::default(),
+            keccak: Keccak::new(),
             _pd: PhantomData,
         }
     }
@@ -219,38 +222,38 @@ where
     fn deserialize(
         serialized_state: &SerializedState<Self>,
     ) -> Result<Self, DeserializeStateError> {
-        let mut state = [0; PLEN];
+        let mut state = State1600::default();
         let chunks = serialized_state.chunks_exact(8);
         for (val, chunk) in state.iter_mut().zip(chunks) {
             *val = u64::from_le_bytes(chunk.try_into().unwrap());
         }
 
         Ok(Self {
-            state: KeccakP1600::from(state),
+            state,
+            keccak: Keccak::new(),
             _pd: PhantomData,
         })
     }
 }
 
 /// Core Sha3 XOF reader.
 #[derive(Clone)]
-pub struct Sha3ReaderCore<Rate, const ROUNDS: usize = DEFAULT_ROUND_COUNT>
+pub struct Sha3ReaderCore<Rate, const ROUNDS: usize = F1600_ROUNDS>
 where
     Rate: BlockSizes + IsLessOrEqual<U200, Output = True>,
 {
-    state: [u64; PLEN],
+    state: State1600,
+    keccak: Keccak,
     _pd: PhantomData<Rate>,
 }
 
 impl<Rate, const ROUNDS: usize> Sha3ReaderCore<Rate, ROUNDS>
 where
     Rate: BlockSizes + IsLessOrEqual<U200, Output = True>,
 {
-    pub(crate) fn new(state: &[u64; PLEN]) -> Self {
-        Self {
-            state: *state,
-            _pd: PhantomData,
-        }
+    pub(crate) fn new(&state: &State1600, keccak: Keccak) -> Self {
+        let _pd = PhantomData;
+        Self { state, keccak, _pd }
     }
 }
 
@@ -271,7 +274,8 @@ where
         for (src, dst) in self.state.iter().zip(block.chunks_mut(8)) {
             dst.copy_from_slice(&src.to_le_bytes()[..dst.len()]);
         }
-        keccak::p1600(&mut self.state, ROUNDS);
+        self.keccak
+            .with_p1600::<ROUNDS>(|p1600| p1600(&mut self.state));
         block
     }
 }
@@ -304,8 +308,8 @@ impl<Rate, const ROUNDS: usize> digest::zeroize::ZeroizeOnDrop for Sha3ReaderCor
 {
 }
 
-pub(crate) fn xor_block(state: &mut [u64; PLEN], block: &[u8]) {
-    assert!(block.len() < 8 * PLEN);
+pub(crate) fn xor_block(state: &mut State1600, block: &[u8]) {
+    assert!(size_of_val(block) < size_of_val(state));
 
     let mut chunks = block.chunks_exact(8);
     for (s, chunk) in state.iter_mut().zip(&mut chunks) {
diff --git a/sha3/src/cshake.rs b/sha3/src/cshake.rs
@@ -1,7 +1,4 @@
-use crate::{
-    CSHAKE_PAD, DEFAULT_ROUND_COUNT as ROUNDS, PLEN, SHAKE_PAD, Sha3ReaderCore,
-    block_api::xor_block,
-};
+use crate::{CSHAKE_PAD, SHAKE_PAD, Sha3ReaderCore, block_api::xor_block};
 use core::fmt;
 use digest::{
     CollisionResistance, CustomizedInit, HashMarker, Reset,
@@ -13,6 +10,7 @@ use digest::{
     consts::{U16, U32, U136, U168, U400},
     typenum::Unsigned,
 };
+use keccak::{F1600_ROUNDS as ROUNDS, Keccak, State1600};
 
 macro_rules! impl_cshake {
     (
@@ -22,8 +20,9 @@ macro_rules! impl_cshake {
         #[doc = " core hasher."]
         #[derive(Clone, Default)]
         pub struct $name {
-            state: [u64; PLEN],
-            initial_state: [u64; PLEN],
+            state: State1600,
+            initial_state: State1600,
+            keccak: Keccak,
         }
 
         impl $name {
@@ -87,10 +86,12 @@ macro_rules! impl_cshake {
         impl UpdateCore for $name {
             #[inline]
             fn update_blocks(&mut self, blocks: &[Block<Self>]) {
-                for block in blocks {
-                    xor_block(&mut self.state, block);
-                    keccak::p1600(&mut self.state, ROUNDS);
-                }
+                self.keccak.with_p1600::<ROUNDS>(|p1600| {
+                    for block in blocks {
+                        xor_block(&mut self.state, block);
+                        p1600(&mut self.state);
+                    }
+                })
             }
         }
 
@@ -101,7 +102,7 @@ macro_rules! impl_cshake {
             fn finalize_xof_core(&mut self, buffer: &mut Buffer<Self>) -> Self::ReaderCore {
                 let pos = buffer.get_pos();
                 let mut block = buffer.pad_with_zeros();
-                let pad = if self.initial_state == [0; PLEN] {
+                let pad = if self.initial_state == State1600::default() {
                     SHAKE_PAD
                 } else {
                     CSHAKE_PAD
@@ -110,10 +111,12 @@ macro_rules! impl_cshake {
                 let n = block.len();
                 block[n - 1] |= 0x80;
 
-                xor_block(&mut self.state, &block);
-                keccak::p1600(&mut self.state, ROUNDS);
+                self.keccak.with_p1600::<ROUNDS>(|p1600| {
+                    xor_block(&mut self.state, &block);
+                    p1600(&mut self.state);
+                });
 
-                Sha3ReaderCore::new(&self.state)
+                Sha3ReaderCore::new(&self.state, self.keccak)
             }
         }
 
@@ -179,7 +182,7 @@ macro_rules! impl_cshake {
                     let chunk = initial_state_src[8 * i..][..8].try_into().unwrap();
                     u64::from_le_bytes(chunk)
                 });
-                Ok(Self{ state, initial_state })
+                Ok(Self{ state, initial_state, keccak: Keccak::new() })
             }
         }
 
diff --git a/sha3/src/lib.rs b/sha3/src/lib.rs
@@ -28,9 +28,6 @@ const SHA3_PAD: u8 = 0x06;
 const SHAKE_PAD: u8 = 0x1f;
 const CSHAKE_PAD: u8 = 0x04;
 
-const PLEN: usize = 25;
-const DEFAULT_ROUND_COUNT: usize = 24;
-
 digest::buffer_fixed!(
     /// SHA-3-224 hasher.
     pub struct Sha3_224(Sha3HasherCore<U144, U28, SHA3_PAD>);
