rscrypto

Rust crypto with zero default deps, no C libraries, and hardware acceleration across x86_64, ARM64, RISC-V, IBM Z, IBM POWER, and Apple Silicon. It is also no-std compatible and WASM/WASI compatible.

Coverage is uploaded as one total Codecov report from cargo-nextest + all of the weekly libFuzzer corpus replay data.

Crypto is often where otherwise portable Rust software stops being portable: native libs, target gaps, dependency piles, feature drift, and per-primitive performance surprises.

rscrypto is a single-crate crypto stack: checksums, cryptographic hashes, fast hashes, MACs, KDFs, password hashing, signatures, key exchange, and AEADs behind leaf-selectable features. It can be a tiny SHA-2 dependency or the full primitives package; either way, primitive implementations stay in-tree as Rust, SIMD intrinsics, and targeted ASM kernels. No C FFI, no vendored C/C++, no OpenSSL/libcrypto dependency, no external crypto crate stack.

rscrypto treats platform coverage as part of the API, not a bonus bench. The benchmark matrix covers x86_64 Intel/AMD, ARM64 Graviton3/4, RISE RISC-V, IBM Z/s390x, IBM POWER10, and macOS Apple Silicon. Every benched architecture has hardware, SIMD, or ASM acceleration in-tree; portable fallbacks remain the correctness floor for unsupported configurations and constrained builds.

Proof points:

Choose the smallest feature that fits:

Use it as a single primitive:

[dependencies]
rscrypto = { version = "0.1", default-features = false, features = ["sha2"] }

Or bring the whole toolbox without pulling in a C library:

[dependencies]
rscrypto = { version = "0.1", default-features = false, features = ["full"] }

Important boundaries: rscrypto is not a FIPS 140-3 validated module (yet). It provides Rust impls of commonly used primitives w/ portable fallbacks, typed APIs, and explicit hardware backends.

Quick Start

use rscrypto::{
  Aead, Blake3, Checksum, ChaCha20Poly1305, ChaCha20Poly1305Key, Crc32C,
  Digest, Ed25519Keypair, Ed25519SecretKey, HkdfSha256, HmacSha256, Kmac256,
  Mac, Sha256, Shake256, X25519SecretKey, Xof, Xxh3, aead::Nonce96,
};

let crc = Crc32C::checksum(b"data");

let hash = Sha256::digest(b"data");
let mut h = Sha256::new();
h.update(b"da"); h.update(b"ta");
assert_eq!(h.finalize(), hash);

let tag = HmacSha256::mac(b"key", b"data");
assert!(HmacSha256::verify_tag(b"key", b"data", &tag).is_ok());

let mut okm = [0u8; 32];
HkdfSha256::new(b"salt", b"ikm").expand(b"info", &mut okm)?;

let mut xof = Shake256::xof(b"data");
let mut out = [0u8; 64];
xof.squeeze(&mut out);

let kp = Ed25519Keypair::from_secret_key(Ed25519SecretKey::from_bytes([7u8; 32]));
let sig = kp.sign(b"data");
assert!(kp.public_key().verify(b"data", &sig).is_ok());

let alice = X25519SecretKey::from_bytes([7u8; 32]);
let bob = X25519SecretKey::from_bytes([9u8; 32]);
assert_eq!(alice.diffie_hellman(&bob.public_key())?, bob.diffie_hellman(&alice.public_key())?);

let cipher = ChaCha20Poly1305::new(&ChaCha20Poly1305Key::from_bytes([0x11; 32]));
let nonce = Nonce96::from_bytes([0x22; 12]);
let mut buf = *b"data";
let tag = cipher.encrypt_in_place(&nonce, b"aad", &mut buf)?;
cipher.decrypt_in_place(&nonce, b"aad", &mut buf, &tag)?;
assert_eq!(&buf, b"data");

let _ = Xxh3::hash(b"data");
# Ok::<(), Box<dyn std::error::Error>>(())

Password Hashing Quick Start

[dependencies]
rscrypto = { version = "0.1", default-features = false, features = ["password-hashing", "getrandom"] }

use rscrypto::{Argon2Params, Argon2VerifyPolicy, Argon2id, Scrypt, ScryptParams, ScryptVerifyPolicy};

let password = b"correct horse battery staple";

let argon2 = Argon2Params::new().build()?;
let encoded = Argon2id::hash_string(&argon2, password)?;
assert!(Argon2id::verify_string_with_policy(password, &encoded, &Argon2VerifyPolicy::default()).is_ok());
assert!(Argon2id::verify_string_with_policy(b"wrong", &encoded, &Argon2VerifyPolicy::default()).is_err());

let scrypt = ScryptParams::new().build()?;
let encoded = Scrypt::hash_string(&scrypt, password)?;
assert!(Scrypt::verify_string_with_policy(password, &encoded, &ScryptVerifyPolicy::default()).is_ok());
assert!(Scrypt::verify_string_with_policy(b"wrong", &encoded, &ScryptVerifyPolicy::default()).is_err());
# Ok::<(), Box<dyn std::error::Error>>(())

Why rscrypto

rscrypto started from a production need within Rail Industries: reproducible builds, small dependency graphs, wide platform coverage, and throughput under real workloads without dragging C libraries into the supply-chain story.

The design goal is simple: replace both single-primitive dependency piles and native crypto bindings with one auditable Rust crate that can be faster than either option above... and without the massive supply chain risk.

Performance

The current benchmarks compare rscrypto against the really common Rust baselines: RustCrypto hashes and AEADs, blake3, ed25519-dalek, x25519-dalek, crc-fast, xxhash-rust, rapidhash, aegis, and other related crates.

Linux: 3717 faster comparisons across 5796 matched comparisons on nine arches, with a 1.75x geomean speedup from raw Criterion medians.

On macOS Apple Silicon, AEAD is the strongest area at 2.60x geomean and checksums land at 4.18x; SHA-2 and SHA-3 are essentially parity at 1.02x and 1.01x.

Most Recent Bench Numbers: benchmark_results/OVERVIEW.md

Examples & Docs

API Conventions

Key, nonce, tag, and signature types round-trip through from_bytes / to_bytes / as_bytes. Secret key types mask Debug output; explicit secret display/export APIs are opt-in and should not be logged.

Types

Top-level API families: traits, checksums, cryptographic hashes/XOFs, fast hashes, MACs, KDFs, password hashing, Ed25519/X25519, AEADs, typed keys/nonces/tags/signatures, error types, and constant-time utilities.

Full type inventory: docs/types.md.

Security Properties

See docs/security.md for nonce lifecycle, verification handling, PHC verification limits, and RISC-V backend guidance.

Compliance Posture

rscrypto provides FIPS-oriented building blocks, not a FIPS 140-3 validated module.

NIST-aligned primitives include AES-256-GCM, SHA-2, SHA-3/SHAKE, HMAC, KMAC, HKDF, and PBKDF2. Validation requires I define the FIPS module boundary, operational environment, self-tests, docs, and pay for a lab review.

Adding a nist-approved feature bundle for FIPS-oriented deployments is on my roadmap, but it also costs tens of thousands of dollars to have it done correctly.

Compliance details: docs/compliance.md.

Feature Flags

Leaf features: crc16, crc24, crc32, crc64, sha2, sha3, blake2b, blake2s, blake3, ascon-hash, xxh3, rapidhash, hmac, hkdf, pbkdf2, kmac, ed25519, x25519, argon2, scrypt, phc-strings, aes-gcm, aes-gcm-siv, chacha20poly1305, xchacha20poly1305, aegis256, ascon-aead.

Platform Support

Three-tier SIMD dispatch: compile-time #[cfg] --> runtime detection (with std) --> portable fallback. Without std, only compile-time detection is used.

CI-Tested Architectures

no_std build targets: thumbv6m-none-eabi, riscv32imac-unknown-none-elf, aarch64-unknown-none, x86_64-unknown-none, wasm32-unknown-unknown, wasm32-wasip1.

NOTE: RISE RISC-V runners are the only reliable RISC-V runners I could find. I'd like to expand the RISC-V work here, but I do not currently have access to more hardware. IBM also accepted this repository for their IBM POWER/Z runners; without that access, I would not have been able to build and test the IBM backends.

Correctness Model

Portable impls are the byte-for-byte authority. Hardware, SIMD, and ASM backends are accelerators and are differential-tested against the portable path and official vectors. Verification errors are opaque, secret keys zeroize on drop, and release builds keep overflow checks enabled.

Testing

Internals

Module hierarchy and advanced modules: docs/architecture.md.

MSRV

1.95.0 (edition 2024). Tested on stable and nightly.

License

MIT OR Apache-2.0