krypteia-arcana 0.1.0

Pure-Rust classical cryptographic primitives: RSA (PKCS#1 v1.5, OAEP), ECC (NIST P-256/384/521, secp256k1), ECDSA, EdDSA (Ed25519), X25519, AES (128/192/256, GCM/CBC), DES/3DES, SHA-1/2/3, HMAC. Side-channel-aware (Montgomery ladder, branchless point_add_ct). Targets embedded (no_std), STM32 M0/M4/M33, ESP32-C3 RISC-V. Zero runtime dependencies.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! SHA-512/224 and SHA-512/256 hash functions (FIPS 180-4).
//!
//! Truncated variants of SHA-512 with distinct IV values generated
//! per FIPS 180-4 §5.3.6. These use the SHA-512 compression
//! function (128-byte blocks, 64-bit words) but produce shorter
//! outputs, which can matter for constrained protocols.

use super::sha512::Sha512;
use crate::Hasher;

// IV for SHA-512/224 (FIPS 180-4 §5.3.6.1).
const H0_512_224: [u64; 8] = [
    0x8C3D37C819544DA2,
    0x73E1996689DCD4D6,
    0x1DFAB7AE32FF9C82,
    0x679DD514582F9FCF,
    0x0F6D2B697BD44DA8,
    0x77E36F7304C48942,
    0x3F9D85A86A1D36C8,
    0x1112E6AD91D692A1,
];

// IV for SHA-512/256 (FIPS 180-4 §5.3.6.2).
const H0_512_256: [u64; 8] = [
    0x22312194FC2BF72C,
    0x9F555FA3C84C64C2,
    0x2393B86B6F53B151,
    0x963877195940EABD,
    0x96283EE2A88EFFE3,
    0xBE5E1E2553863992,
    0x2B0199FC2C85B8AA,
    0x0EB72DDC81C52CA2,
];

/// SHA-512/224 hasher (FIPS 180-4). 224-bit output, 128-byte blocks.
///
/// Uses the SHA-512 compression function (efficient on 64-bit
/// hardware) with a distinct IV and a 28-byte truncation.
#[derive(Clone)]
pub struct Sha512_224 {
    inner: Sha512,
}

impl Hasher for Sha512_224 {
    const OUTPUT_LEN: usize = 28;
    const BLOCK_LEN: usize = 128;

    fn new() -> Self {
        Self {
            inner: Sha512::new_with_iv(H0_512_224),
        }
    }

    fn update(&mut self, data: &[u8]) {
        self.inner.update(data);
    }

    fn finalize(self) -> Vec<u8> {
        let mut out = vec![0u8; 28];
        self.finalize_into(&mut out);
        out
    }

    fn finalize_into(self, out: &mut [u8]) {
        let mut full = [0u8; 64];
        self.inner.finalize_into(&mut full);
        let len = out.len().min(28);
        out[..len].copy_from_slice(&full[..len]);
    }
}

/// SHA-512/256 hasher (FIPS 180-4). 256-bit output, 128-byte blocks.
///
/// Uses the SHA-512 compression function with a distinct IV and a
/// 32-byte truncation. Provides 128-bit collision resistance (same
/// as SHA-256) but runs on the 64-bit oriented SHA-512 core, which
/// is faster than SHA-256 on 64-bit platforms.
#[derive(Clone)]
pub struct Sha512_256 {
    inner: Sha512,
}

impl Hasher for Sha512_256 {
    const OUTPUT_LEN: usize = 32;
    const BLOCK_LEN: usize = 128;

    fn new() -> Self {
        Self {
            inner: Sha512::new_with_iv(H0_512_256),
        }
    }

    fn update(&mut self, data: &[u8]) {
        self.inner.update(data);
    }

    fn finalize(self) -> Vec<u8> {
        let mut out = vec![0u8; 32];
        self.finalize_into(&mut out);
        out
    }

    fn finalize_into(self, out: &mut [u8]) {
        let mut full = [0u8; 64];
        self.inner.finalize_into(&mut full);
        let len = out.len().min(32);
        out[..len].copy_from_slice(&full[..len]);
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::Hasher;

    // FIPS 180-4 examples (from NIST CSRC).

    #[test]
    fn test_sha512_224_empty() {
        let digest = Sha512_224::hash(b"");
        let expected: [u8; 28] = [
            0x6e, 0xd0, 0xdd, 0x02, 0x80, 0x6f, 0xa8, 0x9e, 0x25, 0xde, 0x06, 0x0c, 0x19, 0xd3, 0xac, 0x86, 0xca, 0xbb,
            0x87, 0xd6, 0xa0, 0xdd, 0xd0, 0x5c, 0x33, 0x3b, 0x84, 0xf4,
        ];
        assert_eq!(&digest[..], &expected[..]);
    }

    #[test]
    fn test_sha512_224_abc() {
        let digest = Sha512_224::hash(b"abc");
        let expected: [u8; 28] = [
            0x46, 0x34, 0x27, 0x0F, 0x70, 0x7B, 0x6A, 0x54, 0xDA, 0xAE, 0x75, 0x30, 0x46, 0x08, 0x42, 0xE2, 0x0E, 0x37,
            0xED, 0x26, 0x5C, 0xEE, 0xE9, 0xA4, 0x3E, 0x89, 0x24, 0xAA,
        ];
        assert_eq!(&digest[..], &expected[..]);
    }

    #[test]
    fn test_sha512_256_empty() {
        let digest = Sha512_256::hash(b"");
        let expected: [u8; 32] = [
            0xc6, 0x72, 0xb8, 0xd1, 0xef, 0x56, 0xed, 0x28, 0xab, 0x87, 0xc3, 0x62, 0x2c, 0x51, 0x14, 0x06, 0x9b, 0xdd,
            0x3a, 0xd7, 0xb8, 0xf9, 0x73, 0x74, 0x98, 0xd0, 0xc0, 0x1e, 0xce, 0xf0, 0x96, 0x7a,
        ];
        assert_eq!(&digest[..], &expected[..]);
    }

    #[test]
    fn test_sha512_256_abc() {
        let digest = Sha512_256::hash(b"abc");
        let expected: [u8; 32] = [
            0x53, 0x04, 0x8E, 0x26, 0x81, 0x94, 0x1E, 0xF9, 0x9B, 0x2E, 0x29, 0xB7, 0x6B, 0x4C, 0x7D, 0xAB, 0xE4, 0xC2,
            0xD0, 0xC6, 0x34, 0xFC, 0x6D, 0x46, 0xE0, 0xE2, 0xF1, 0x31, 0x07, 0xE7, 0xAF, 0x23,
        ];
        assert_eq!(&digest[..], &expected[..]);
    }
}