Constant-time tag/digest validation against timing attacks, improved CMake portability.

Fixed

Security

• Use constant-time tag/digest validation to offer some resistance against
  timing attacks. Applies to all decryption functions
  (ascon_aead*_decrypt*()) and all hashing functions which compare
  the generated digest to the expected (ascon_hash_*_matches()).

Cross-platform portability

• Enforced name libascon.{dll|so|dylib} for the shared library, so it's the
  same when built with any toolchain.
• CMake will not verify whether a compiler supports a flag before using it.
  This makes the CMake configuration phase slightly longer, but the result
  is cached, so it happens only the first time.
• CMake now defaults to MinSizeRel build type if CMAKE_BUILD_TYPE is not
  specified, because binary size matters more than speed for a cross-platform
  implementation. Additionaly, on some platforms it overperforms the
  Release build.
• Explicitly setting many Doxygen settings.

Internal changes

• Simplified Ascon permutation code, to increase its readability.
• Internal function byte_mask() renamed to mask_most_signif_bytes().

New, lighter hashing functions: Ascon-Hasha and Ascon-XOFa, as per Ascon's NIST submission update (2021). Pre-initialised hashes.

Added

• Ascon-Hasha functions:

  • Offline processing:
    • ascon_hasha()
    • ascon_hasha_matches()
  • Online processing:
    • ascon_hasha_init()
    • ascon_hasha_update()
    • ascon_hasha_final()
    • ascon_hasha_final_matches()

• Ascon-XOFa functions:

  • Offline processing:
    • ascon_hasha_xof()
    • ascon_hasha_xof_matches()
  • Online processing:
    • ascon_hasha_xof_init()
    • ascon_hasha_xof_update()
    • ascon_hasha_xof_final()
    • ascon_hasha_xof_final_matches()

Fixed

• Faster initialisation phase of all hashing functions states: using
  precomputed sponges for each hashing function instead of applying its
  initialisation vector and permuting it with 12 rounds. Given that this
  operation is deterministic, we can trade code size space (the precomputed
  sponges) for computation time (no permutation needed).
• Add struct names to anonymous structs that were only typedef-ed in the
  library header. Helps when debugging, so the debugger can show the struct
  name.
• Minor internal simplifications of the benchmark and test suite.

Fix new compiler warnings appearing in GCC v11

Fixed

• Fix GCC v11 warnings about uint8* vs uint8[] data types differing in
  signature of function declaration and definition. It was working fine so far,
  apparently now the compiler wants them to be consistent, so they now are.
  Arrays were chosen as data type (although they are just pointers behind the
  scenes), so the known, constant length of the binary key/nonce can be
  explicitly indicated for code clarity, following the recommended practice
  from the MISRA-C standard.
• Fixed GCC v11 warning appearing only in Release mode about the internal
  small_cpy() function "writing 1 byte into a region of size 0"
  [-Werror=stringop-overflow=]
• Fixed ascon_aead_common.c file mentioning BSD license and full copyright
  statement, when the project is CC0 (new-file-template error).
• Auto-formatting benchmark.c and some markdown files, including this
  changelog.
• Simplify assert macro usage in the codebase: make it do nothing when off,
  thus the #ifdef ASCON_INPUT_ASSERTS ... #endif condition can be removed.

Compilation fixes for some GCC versions, added `ascon_` to some internal target names to avoid name clashing

Fixed

• Avoid type-punning when clearing the context and when comparing the
  expected and computed tag/digest, which may cause compilation errors
  with -Werror=strict-aliasing in some GCC versions.
• Renamed some build targets to avoid name collisions when including the whole
  LibAscon project into another CMake project with add_subdirectory()
  • doxygen -> ascon_doxygen
  • benchmark -> ascon_benchmark
  • copytestvectors -> ascon_copytestvectors
    As these are all internal targets, it should hopefully not affect the
    library user.

New hashing functions, any tag/digest sizes, less dependencies, assertion checks for debug mode

New hashing functions comparing the expected and computed digest,
support for virtually any tag and digest size, removed dependencies malloc.h
and string.h, better context cleanup, optional asserts validating the
library input.

Added

• 4 new hash functions that compute the digest of a message and compare it with
  the expected one, informing the user if they match. This is done with
  constant stack memory usage, like the AEAD functions now validate the tags
  too. The functions need the data and the expected digest as input,
  providing a boolean as output, indicating whether the digest matches or not.

  • ascon_hash_matches() and ascon_hash_xof_matches() to validate the
    digest of a contiguous message.
  • ascon_hash_final_matches() and ascon_hash_xof_final_matches() to
    validate the digest as a last step of the Init-Update-Final process,
    removing the need from the user to call ascon_hash_final() or
    ascon_hash_xof_final() and run memcmp() on the just calculated digest.

• Optional runtime asserts to validate the argument of the
  library API functions, mostly checking for NULL pointers and correct
  order of calling of the Init-Update-Final functions.

  • Suggested use only in Debug mode.
  • Uses assert.h by default, but can be overridden by defining
    ASCON_ASSERT at compile time too.
  • In CMake script it's enabled only for Debug builds and only
    if assert.h is available.
  • Disabled by default if compiling the library by other means
    (e.g. custom makefile).

• 2 new example usages in the Readme:

  • Offline encryption/decryption of contiguous data.
  • Hashing functions, including new digest-comparison functions.

Changed

• Library internals (not impacting API):
  • The AEAD tag validation is not performed one chunk of 8 bytes at the time
    rather than generating the whole contiguous tag from the user-given data and
    comparing it in its entirety (memcmp()) with the user-given tag.
    This implies that tag lengths don't have a physical limitation anymore
    (previously tag lengths > 64 bytes were discouraged).
  • Renamed state variable ascon_bufstate_t.assoc_data_state
    to ascon_bufstate_t.flow_state.
  • Enlarged state enum ascon_flow_t.
  • Renamed const uint8_t* tag parameter in AEAD function to expected_tag
    to emphasise that is the one that comes next to the ciphertext.
    It's length is now similarly expected_tag_len.

Removed

• Dependency malloc.h: is not required on Windows anymore, as we don't
  allocate the whole expected tag on the stack anymore: a small 8 byte buffer
  is used instead.

• Dependency string.h: due to memcmp() (see Changed section) and
  memset()/memset_s() (see Fixed section) not being used anymore, the
  library is not used.

Fixed

• The clearing of the context, both for AEAD and hash functions is performed
  without loops or memset()/memset_s(), but by setting the (not so many)
  context fields one by one to 0 using volatile pointer dereferencing to
  improve the chances of the optimiser not removing the cleanup section.

• CMake fixes:

  • clean target now removes ascon.h from the build directory.
  • Better copying of the test vectors to the build directory: use a custom
    target, set it as a dependency to testascon and testasconshared to
    avoid issues on some systems.
  • Building with CMake should now work properly when using LibAscon in a
    Git Submodule.

• Small fixes in the hash/XOF function tests.

Support for compilation on Windows with MSVC, other CMake improvements

Thanks to @mataron for providing the initial fixes for MSVC!

Added

• Enable ctest command to run the test executables.
• Added .editorconfig for a portable text editing configuration.

Fixed

• All tag_len parameters in the library API now are of type size_t
  instead of uint8_t so that sizeof() can be used on the tag buffers.
  As the tags are internally allocated on the stack, the lengths should not
  be excessive (e.g. anything above 64 B = 512 bit is already a lot for
  security purposes).

• LibAscon now successfully compiles with CL (MSVC) on Windows:

  • Fixed errors due to inlining of static function into exposed functions.
  • Fixed errors at link time as the linker did not find the library's public
    API functions: now a ASCON_API macro is set to export their symbols
    properly (does nothing on any other OS) with __declspec(dllexport).
  • Use _malloca() and _freea() to declare arrays on the stack without
    a constant length at compile-time.
  • Fixed a variety of compiler warnings and errors for the test suite code
    and benchmark executable, including paddings, Spectre mitigations,
    inlining notifications, incorrect macro checking.

• Moved compiler flag settings to a separate CMake file: compiler_flags.cmake

  • Improved support for GCC vs. Clang differences in the compiler flags

• Replaced Travis CI with GitHub Actions CI:

  • Support for MSVC compilation using CL on Windows

CMake and build process improvements, 4 new targets, minor fix to avoid unwanted compiler optimisations.

Added

• Add static build targets ascon128hash, ascon128ahash, ascon80pqhash
  which compile to static libraries with the indicated AEAD cipher and
  the Ascon-Hash/Xof functions. Useful to avoid setting manual compile targets
  when only one cipher and the hash functions are needed.
• Add test runner which tests the shared library build target testasconshared
  to check that everything works also with dynamic linking.

Fixed

• Prefer memset_s when available to clear the context, as memset may be
  optimised out by the compiler, while memset_s is guaranteed to always
  execute.
• Improved CMakeLists.txt:
  • Bump minimum CMake version to 3.9 to use the
    INTERPROCEDURAL_OPTIMISATION property (aka Link time optimisation)
    on just the targets that need it.
  • Remove -flto flag, it may cause compiling issues in some cases (breaking
    the Travis CI build, for one), prefer CMake's abstraction as per point
    above.
  • List explicit include directories for each target.
  • Add explicit dependencies to each target that has some.
• Improved Travis CI:
  • Enable parallel make-all.
  • Install MSYS2 and use GCC on Windows to compile properly.

Fixed slowdowns - now as fast as reference implementation, 100% test coverage.

Fixed

• Fixed 2x slowdown compared to original reference implementation by
  unrolling loops in ascon_permutation_[a12|b8|b6]. Apparently the
  compiler does not do that automatically, even when requested with
  -funroll-loops.
  This brings LibAscon to the same performance as the reference implementation,
  when compiled in Release mode.

• When building in MinSizeRel mode (-DCMAKE_BUILD_TYPE=MinSizeRel), the core
  round and permutation functions are not hinted to be inlined by the compiled,
  thus the library takes slightly less space.

• Replaced rewritten benchmark runner with original one (copy-pasted and
  slightly changed). Apparently the rewritten benchmark was about 2x slower.
  Now the benchmark results are comparable between original implementation
  and LibAscon.

• Test coverage reached 100%: removed a dead branch in
  ascon_aead80pq_decrypt_final(), which was a copy-paste error.

• Fix a int to uint8 type conversion warning.

• Removed unused internal log_sponge() function, making the library slightly
  smaller.

• Add initial Travis-CI script for a few builds. Some are still failing, but the
  reasons seems to be in the system configuration or old compiler versions
  or "linker not found", not in the LibAscon source code.

First stable version with all ciphers

Modified

• Breaking change from previous versions: removed total_output_len
  parameters from the functions

  • ascon_aead*_encrypt()
  • ascon_aead*_decrypt()
  • ascon_aead*_encrypt_final()
  • ascon_aead*_decrypt_final()
    and from the ascon_bufstate_t struct, making it 8 B smaller.
    Why? TL;DR it's redundant.

  The reasoning is that the user of the first two (offline processing)
  already knows the length of the plaintext/ciphertext; the user of the second
  two obtains the length of the processed chunks as return values so they
  can simply sum the up - and anyhow the user known the length of all the
  chunks provided to the cipher; those could be summed up to. In most of the
  cases the argument was NULL in the function usage. For details on how to
  obtain the total length, the example in the Readme should suffice.

• Renamed all files in src so they start with ascon_.

Fixed

• Added more tests to cover more branching cases of the online-buffering
  algorithm.
• Removal of some minor warnings after inspection with static analyser
  (scan-build) and CLion code inspection tool.
• Typos
• Added missing Known limitations paragraphs to the previous releases
  in this Changelog.

Known limitations

• Because LibAscon is implemented with reuse of existing functions in mind,
  in order to spare on code size and with the Init-Update-Digest paradigm,
  which has some internal buffering, the cipher is about 4x slower than the
  reference implementation (ref).
• There is no architecture-specific optimisation, only a generic portable
  implementation using mostly uint64_t data types.

Added Ascon80pq cipher and usage example

Added

• ascon_aead128a_* functions, working exactly as the aead128 versions.
  Internally they absorb the data with a double rate.
• Example encryption and decrpytion code into Readme.

Removed

• Macros to exclude some parts of the library from the previous version,
  as they only complicate the building process. It's easier to exclude some
  source files from the build, now that they are better organised.
  • ASCON_COMPILE_AEAD128
  • ASCON_COMPILE_AEAD128a
  • ASCON_COMPILE_AEAD80pq
    - ASCON_COMPILE_HASH

Known limitations

• Because LibAscon is implemented with reuse of existing functions in mind,
  in order to spare on code size and with the Init-Update-Digest paradigm,
  which has some internal buffering, the cipher is about 4x slower than the
  reference implementation (ref).
• There is no architecture-specific optimisation, only a generic portable
  implementation using mostly uint64_t data types.