Introduce the concept of "domain" for SHAKE XOF.

MarekKnapek · MarekKnapek · commit edf85585cefc · 2025-11-27T14:29:00.000+01:00
diff --git a/src/hashes/sha3.c b/src/hashes/sha3.c
@@ -369,7 +369,7 @@ int keccak_done(hash_state *md, unsigned char *out)
 #endif
 
 #ifdef LTC_SHA3
-static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsigned char *out, unsigned long outlen, process_fn proc_f)
+static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsigned char *out, unsigned long outlen, unsigned char domain, process_fn proc_f)
 {
    /* IMPORTANT NOTE: sha3_shake_done can be called many times */
    unsigned long idx;
@@ -381,7 +381,7 @@ static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsign
 
    if (!sha3->xof_flag) {
       /* shake_xof operation must be done only once */
-      sha3->s[sha3->word_index] ^= (sha3->saved ^ (CONST64(0x1F) << (sha3->byte_index * 8)));
+      sha3->s[sha3->word_index] ^= (sha3->saved ^ (((ulong64)(domain)) << (sha3->byte_index * 8)));
       sha3->s[SHA3_KECCAK_SPONGE_WORDS - sha3->capacity_words - 1] ^= CONST64(0x8000000000000000);
       proc_f(sha3->s);
       /* store sha3.s[] as little-endian bytes into sha3.sb */
@@ -408,7 +408,7 @@ static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsign
 static LTC_INLINE int s_sha3_shake_done(hash_state *md, unsigned char *out, unsigned long outlen, process_fn proc_f)
 {
    LTC_ARGCHK(md != NULL);
-   return s_sha3_shake_concrete_done(&md->sha3, out, outlen, proc_f);
+   return s_sha3_shake_concrete_done(&md->sha3, out, outlen, 0x1f, proc_f);
 }
 
 int sha3_shake_done(hash_state *md, unsigned char *out, unsigned long outlen)
@@ -419,7 +419,7 @@ int sha3_shake_done(hash_state *md, unsigned char *out, unsigned long outlen)
 #if defined LTC_TURBO_SHAKE
 static LTC_INLINE int s_turbo_shake_concrete_done(struct sha3_state *sha3, unsigned char *out, unsigned long outlen)
 {
-   return s_sha3_shake_concrete_done(sha3, out, outlen, s_keccak_turbo_f);
+   return s_sha3_shake_concrete_done(sha3, out, outlen, 0x1f, s_keccak_turbo_f);
 }
 int turbo_shake_done(hash_state *md, unsigned char *out, unsigned long outlen)
 {

Original file line number	Diff line number	Diff line change
`@@ -369,7 +369,7 @@ int keccak_done(hash_state md, unsigned char out)`
`369`	`369`	`#endif`
`370`	`370`
`371`	`371`	`#ifdef LTC_SHA3`
`372`		`-static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state sha3, unsigned char out, unsigned long outlen, process_fn proc_f)`
	`372`	`+static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state sha3, unsigned char out, unsigned long outlen, unsigned char domain, process_fn proc_f)`
`373`	`373`	`{`
`374`	`374`	`/* IMPORTANT NOTE: sha3_shake_done can be called many times */`
`375`	`375`	`unsigned long idx;`
`@@ -381,7 +381,7 @@ static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsign`
`381`	`381`
`382`	`382`	`if (!sha3->xof_flag) {`
`383`	`383`	`/* shake_xof operation must be done only once */`
`384`		`- sha3->s[sha3->word_index] ^= (sha3->saved ^ (CONST64(0x1F) << (sha3->byte_index * 8)));`
	`384`	`+ sha3->s[sha3->word_index] ^= (sha3->saved ^ (((ulong64)(domain)) << (sha3->byte_index * 8)));`
`385`	`385`	`sha3->s[SHA3_KECCAK_SPONGE_WORDS - sha3->capacity_words - 1] ^= CONST64(0x8000000000000000);`
`386`	`386`	`proc_f(sha3->s);`
`387`	`387`	`/* store sha3.s[] as little-endian bytes into sha3.sb */`
`@@ -408,7 +408,7 @@ static LTC_INLINE int s_sha3_shake_concrete_done(struct sha3_state *sha3, unsign`
`408`	`408`	`static LTC_INLINE int s_sha3_shake_done(hash_state md, unsigned char out, unsigned long outlen, process_fn proc_f)`
`409`	`409`	`{`
`410`	`410`	`LTC_ARGCHK(md != NULL);`
`411`		`- return s_sha3_shake_concrete_done(&md->sha3, out, outlen, proc_f);`
	`411`	`+ return s_sha3_shake_concrete_done(&md->sha3, out, outlen, 0x1f, proc_f);`
`412`	`412`	`}`
`413`	`413`
`414`	`414`	`int sha3_shake_done(hash_state md, unsigned char out, unsigned long outlen)`
`@@ -419,7 +419,7 @@ int sha3_shake_done(hash_state md, unsigned char out, unsigned long outlen)`
`419`	`419`	`#if defined LTC_TURBO_SHAKE`
`420`	`420`	`static LTC_INLINE int s_turbo_shake_concrete_done(struct sha3_state sha3, unsigned char out, unsigned long outlen)`
`421`	`421`	`{`
`422`		`- return s_sha3_shake_concrete_done(sha3, out, outlen, s_keccak_turbo_f);`
	`422`	`+ return s_sha3_shake_concrete_done(sha3, out, outlen, 0x1f, s_keccak_turbo_f);`
`423`	`423`	`}`
`424`	`424`	`int turbo_shake_done(hash_state md, unsigned char out, unsigned long outlen)`
`425`	`425`	`{`