bash-prg-hash: Initial implementation

[makavity]

1. I am not sure to assert in block_api
2. I am not sure in new and new_with_empty_header functions.

[makavity]

I am also not sure, it should be implemented as prg-hash.
Because AEAD algorithm uses start, squeeze, absorb and encrypt functions. But it is correct to implement encrypt here and make block_api methods - pub?

[newpavlov]

Sorry for the late review!

Some preliminary comments without looking deep at the implementation and the spec.

[makavity]

Thanks for review, @newpavlov.
As I see, all fixed

[makavity]

Looks like the sha1 is failed because timeout, not because PR changes.

[newpavlov]

I added TryCustomizedInit trait in digest v0.11.3. Also, take a look at #849 (the change was inspired by this PR), it should help to simplify the implementation.

[makavity]

I added TryCustomizedInit trait in digest v0.11.3. Also, take a look at #849 (the change was inspired by this PR), it should help to simplify the implementation.

Cannot implement squeeze.
In SpongeCursor::squeeze_u64_le:

for block in &mut blocks {
    sponge(state);

    let mut dst_chunks = block.chunks_exact_mut(size_of::<u64>());
    for (src, dst_chunk) in state.iter_mut().zip(&mut dst_chunks) {
        dst_chunk.copy_from_slice(&src.to_le_bytes());
    }
    assert!(dst_chunks.into_remainder().is_empty());
}

This does permute then read, while bash-prg-hash needs read then permute for the first block after commit(OUT) (and then permutation between full-rate blocks).
So the first output block must come from the current committed state, without an extra permutation. With current API, that path cannot be expressed directly, so reader squeeze still needs custom logic.

Should I left it as-is, or maybe another mode in SpongeCursor?

[makavity]

I've commited it without squeeze from SpongeCursor, have no idea how to use it in current approach.

[newpavlov]

Should I left it as-as, or maybe another mode in SpongeCursor?

Can not say right now, I will need to read the spec first.