Add SHAKE-128 as stream cipher

Updates NewHope to use that instead of the hard-coded SHAKE-128,
and adds toggle for BoringSSL compat mode using AES-128/CTR + SHA-256.

1 files changed, 27 insertions, 3 deletions

diff --git a/src/lib/pubkey/newhope/newhope.h b/src/lib/pubkey/newhope/newhope.h
index 875c6e092..667f1c4cf 100644
--- a/src/lib/pubkey/newhope/newhope.h
+++ b/src/lib/pubkey/newhope/newhope.h
@@ -28,9 +28,33 @@ typedef struct {
   uint16_t coeffs[1024];
 } newhope_poly;
 
-void BOTAN_DLL newhope_keygen(uint8_t *send, newhope_poly *sk, RandomNumberGenerator& rng);
-void BOTAN_DLL newhope_sharedb(uint8_t *sharedkey, uint8_t *send, const uint8_t *received, RandomNumberGenerator& rng);
-void BOTAN_DLL newhope_shareda(uint8_t *sharedkey, const newhope_poly *ska, const uint8_t *received);
+/**
+* This chooses the XOF + hash for NewHope
+
+* The official NewHope specification and reference implementation use
+* SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in
+* CTR mode.
+*/
+enum class Newhope_Mode {
+   SHA3,
+   BoringSSL
+};
+
+void BOTAN_DLL newhope_keygen(uint8_t *send,
+                              newhope_poly *sk,
+                              RandomNumberGenerator& rng,
+                              Newhope_Mode = Newhope_Mode::SHA3);
+
+void BOTAN_DLL newhope_sharedb(uint8_t *sharedkey,
+                               uint8_t *send,
+                               const uint8_t *received,
+                               RandomNumberGenerator& rng,
+                               Newhope_Mode mode = Newhope_Mode::SHA3);
+
+void BOTAN_DLL newhope_shareda(uint8_t *sharedkey,
+                               const newhope_poly *ska,
+                               const uint8_t *received,
+                               Newhope_Mode mode = Newhope_Mode::SHA3);
 
 }