On 4/30/25 2:43 PM, Niels Möller wrote:
Hi,
I recently realized that unlike other hash functions in Nettle, we can do without the block size buffer for sha3. Below patch reduces the buffer to just 8 bytes, since input can be xored directly to the state array (with the extra 8-byte buffer used for partial words on big endian platforms), and similarly, shake output can ge generated from the state array. The implementation of _update and _shake_output becomes a bit more complex, with separate code for big and little endian platforms.
I had expected a minor speedup for little-endian, but I haven't seen any significant performance changes on my x86_64 machine.
Before, the size of the context structs ranged from 280 bytes for sha3_512 to 352 bytes for sha3_224 and 376 for shake128. After these changes, all variants use the same context struct of 216 bytes.
One can then eliminate the different struct sha3_*_ctx, replacing with a single struct sha3_ctx, and similarly only a single sha3_init function.
Would it be useful to keep old names as preprocessor aliases? Either by default, or via a separate header nettle/sha3-compat.h?
Default would be my vote.
Regards, /Niels
<snip>