Using cSHAKE

[rgmhtt]

The wiki: https://pycryptodome.readthedocs.io/en/v3.15.0/src/hash/cshake128.html

Is not so helpful. Is there comments in the code to read? And where?

Per rfc9374 I need:

   cSHAKE128(Input, L, "", Context ID)

   Input      :=  Prefix | Additional Information | OGA ID | HOST_ID
   L          :=  Length in bits of the hash portion of ORCHID

Where Prefix, Additional Information, & OGA ID are bit values
HOST_ID is an EdDSA25519 32-byte public key (got that working, thanks).
L is typically 64 bits (so at least this usage maps to your bytes for L in the wiki, 800-185 has length in bits).
Fortunately N is null as I don't see how to set that from the wiki
Context ID is the cSHAKE customization string. In this case
0x00B5 A69C 795D F5D5 F008 7F56 843F 2C40 (per rfc9373 sec 8.3)

In my initial python script I will only be getting those 8 bytes from cSHAKE per invocation. Later I will have uses where I will have lots of different hashes to generate.

So I can set the customization with:

shake = cSHAKE128.new(custom=h'00B5A69C795DF5D5F0087F56843F2C40')
and it seems I can get my 8 bytes out with something like

shake.update(b'Input')
DETsuf = shake.read(8).bin()

This SHOULD give me a 64-bit string that I can then use in building the DET per fig 1 in sec 3.

but the wiki reads that after you do a shake.read, you don't reinitialize the sponge with another shake.update? Rather you reint with:

cSHAKE128.new(data=None, custom=None)
or since custom does not change
cSHAKE128.new(data=None) ?

Very unclear for someone that reads SP800-185, not python.

thanks for helping me understand this.

[rgmhtt]

OK, I have that wrong on how to represent a hex string. It should be:

shake = cSHAKE128.new(custom=0x00B5A69C795DF5D5F0087F56843F2C40)

So I tried that and:

Traceback (most recent call last):
File "/home/rgm/data/htt/Projects/Critical/drafts/draft-ietf-drip-rid/det-gen.py", line 138, in
main(sys.argv[1:])
File "/home/rgm/data/htt/Projects/Critical/drafts/draft-ietf-drip-rid/det-gen.py", line 131, in main
shake = cSHAKE128.new(custom=0x00B5A69C795DF5D5F0087F56843F2C40)
File "/usr/lib64/python3.10/site-packages/Cryptodome/Hash/cSHAKE128.py", line 187, in new
return cSHAKE_XOF(data, custom, 256, b'')
File "/usr/lib64/python3.10/site-packages/Cryptodome/Hash/cSHAKE128.py", line 97, in init
prefix_unpad = _encode_str(function) + _encode_str(custom)
File "/usr/lib64/python3.10/site-packages/Cryptodome/Hash/cSHAKE128.py", line 68, in _encode_str
bitlen = len(x) * 8
TypeError: object of type 'int' has no len()

Even
shake = cSHAKE128.new(custom=0x00B5A69C795DF5D5)
generated the error

Or is it really coughing on:

shake.update(pbraw)

where

pbraw = key.public_key().export_key(format="raw")
print("EdDSA: ", pbraw)

EdDSA: b'\xe7J\x93\x02-X\xd6Rs"\xb7\xc3?\xb8w\x8d\xae\xf3\xa0p\x16s\xa9\xbc\xf8\xcf\x95\xa1\x94\x15\xc1\xcc'

[Akuli]

You need to pass it as bytes: cSHAKE128.new(custom=bytes.fromhex("00B5A69C795DF5D5"))

[rgmhtt]

Got a response from a friend that said basically the same thing but used:
binascii.unhexlify()

And I reread 800-185 sec 3.2 and see I lost track that 'N' is reserved for NIST to customize cSHAKE (e.g. N="KMAC"), so of course there is no way to set it in cSHAKE...

But it does define L in bits, so you deviate there and someone that WANTS bits, not bytes (and note I DO have use cases where I nibble) how would that be possible?

Thank you

[rgmhtt]

And how do I make multiple cSHAKE hashes? Do i use:

cSHAKE128.new(data=None, custom=None)

and then set custom and then feed in the string?

or can

cSHAKE128.new(data=None, custom=string)

do it if you are changing the customization, or only

cSHAKE128.new(data=None)

If you are using the same customization but want to feed in a new string to hash?

Thank you.