Struct Hasher 

pub struct Hasher();

Implementation of the Rescue Prime Optimized hash function with 256-bit output.

The hash function is implemented according to the Rescue Prime Optimized specifications while the padding rule follows the one described here.

The parameters used to instantiate the function are:

• Field: 64-bit prime field with modulus p = 2^64 - 2^32 + 1.
• State width: 12 field elements.
• Rate size: r = 8 field elements.
• Capacity size: c = 4 field elements.
• Number of founds: 7.
• S-Box degree: 7.

The above parameters target a 128-bit security level. The digest consists of four field elements and it can be serialized into 32 bytes (256 bits).

Hash output consistency

Functions hash_elements(), merge(), and merge_with_int() are internally consistent. That is, computing a hash for the same set of elements using these functions will always produce the same result. For example, merging two digests using merge() will produce the same result as hashing 8 elements which make up these digests using hash_elements() function.

However, hash() function is not consistent with functions mentioned above. For example, if we take two field elements, serialize them to bytes and hash them using hash(), the result will differ from the result obtained by hashing these elements directly using hash_elements() function. The reason for this difference is that hash() function needs to be able to handle arbitrary binary strings, which may or may not encode valid field elements - and thus, deserialization procedure used by this function is different from the procedure used to deserialize valid field elements.

Thus, if the underlying data consists of valid field elements, it might make more sense to deserialize them into field elements and then hash them using hash_elements() function rather than hashing the serialized bytes using hash() function.

Domain separation

merge_in_domain() hashes two digests into one digest with some domain identifier and the current implementation sets the second capacity element to the value of this domain identifier. Using a similar argument to the one formulated for domain separation of the RPX hash function in Appendix C of its specification, one sees that doing so degrades only pre-image resistance, from its initial bound of c.log_2(p), by as much as the log_2 of the size of the domain identifier space. Since pre-image resistance becomes the bottleneck for the security bound of the sponge in overwrite-mode only when it is lower than 2^128, we see that the target 128-bit security level is maintained as long as the size of the domain identifier space, including for padding, is less than 2^128.

Hashing of empty input

The current implementation hashes empty input to the zero digest [0, 0, 0, 0]. This has the benefit of requiring no calls to the RPO permutation when hashing empty input.

Implementations

impl Rpo256

pub const NUM_ROUNDS: usize = 7usize

The number of rounds is set to 7 to target 128-bit security level.

pub const STATE_WIDTH: usize = 12usize

Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and the remaining 4 elements are reserved for capacity.

pub const RATE_RANGE: Range<usize> = RATE_RANGE

The rate portion of the state is located in elements 4 through 11 (inclusive).

pub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE

The capacity portion of the state is located in elements 0, 1, 2, and 3.

pub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE

The output of the hash function can be read from state elements 4, 5, 6, and 7.

pub const MDS: [[BaseElement; 12]; 12] = MDS

MDS matrix used for computing the linear layer in a RPO round.

pub const ARK1: [[BaseElement; 12]; 7] = ARK1

Round constants added to the hasher state in the first half of the RPO round.

pub const ARK2: [[BaseElement; 12]; 7] = ARK2

Round constants added to the hasher state in the second half of the RPO round.

pub fn hash(bytes: &[u8]) -> Word

Returns a hash of the provided sequence of bytes.

pub fn merge(values: &[Word; 2]) -> Word

Returns a hash of two digests. This method is intended for use in construction of Merkle trees and verification of Merkle paths.

pub fn hash_elements<E>(elements: &[E]) -> Word

where E: FieldElement<BaseField = BaseElement>,

Returns a hash of the provided field elements.

pub fn merge_in_domain(values: &[Word; 2], domain: BaseElement) -> Word

Returns a hash of two digests and a domain identifier.

pub fn apply_permutation(state: &mut [BaseElement; 12])

Applies RPO permutation to the provided state.

pub fn apply_round(state: &mut [BaseElement; 12], round: usize)

RPO round function.

Trait Implementations

impl Clone for Rpo256

fn clone(&self) -> Rpo256

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Rpo256

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl ElementHasher for Rpo256

type BaseField = BaseElement

Specifies a base field for elements which can be hashed with this hasher.

fn hash_elements<E>(elements: &[E]) -> <Rpo256 as Hasher>::Digest

where E: FieldElement<BaseField = <Rpo256 as ElementHasher>::BaseField>,

Returns a hash of the provided field elements.

impl Hasher for Rpo256

const COLLISION_RESISTANCE: u32 = 128u32

Rpo256 collision resistance is 128-bits.

type Digest = Word

Specifies a digest type returned by this hasher.

fn hash(bytes: &[u8]) -> <Rpo256 as Hasher>::Digest

Returns a hash of the provided sequence of bytes.

fn merge(values: &[<Rpo256 as Hasher>::Digest; 2]) -> <Rpo256 as Hasher>::Digest

Returns a hash of two digests. This method is intended for use in construction of Merkle trees.

fn merge_many( values: &[<Rpo256 as Hasher>::Digest], ) -> <Rpo256 as Hasher>::Digest

Returns a hash of many digests.

fn merge_with_int( seed: <Rpo256 as Hasher>::Digest, value: u64, ) -> <Rpo256 as Hasher>::Digest

Returns hash(seed || value). This method is intended for use in PRNG and PoW contexts.

impl PartialEq for Rpo256

fn eq(&self, other: &Rpo256) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Copy for Rpo256

impl Eq for Rpo256

impl StructuralPartialEq for Rpo256