pub struct Rpx256();
Expand description
Implementation of the Rescue Prime eXtension hash function with 256-bit output.
The hash function is based on the XHash12 construction in specifications
The parameters used to instantiate the function are:
- Field: 64-bit prime field with modulus 2^64 - 2^32 + 1.
- State width: 12 field elements.
- Capacity size: 4 field elements.
- S-Box degree: 7.
- Rounds: There are 3 different types of rounds:
- (FB):
apply_mds
→add_constants
→apply_sbox
→apply_mds
→add_constants
→apply_inv_sbox
. - (E):
add_constants
→ext_sbox
(which is raising to power 7 in the degree 3 extension field). - (M):
apply_mds
→add_constants
.
- Permutation: (FB) (E) (FB) (E) (FB) (E) (M).
The above parameters target a 128-bit security level. The digest consists of four field elements and it can be serialized into 32 bytes (256 bits).
§Hash output consistency
Functions hash_elements(), merge(), and merge_with_int() are internally consistent. That is, computing a hash for the same set of elements using these functions will always produce the same result. For example, merging two digests using merge() will produce the same result as hashing 8 elements which make up these digests using hash_elements() function.
However, hash() function is not consistent with functions mentioned above. For example, if we take two field elements, serialize them to bytes and hash them using hash(), the result will differ from the result obtained by hashing these elements directly using hash_elements() function. The reason for this difference is that hash() function needs to be able to handle arbitrary binary strings, which may or may not encode valid field elements - and thus, deserialization procedure used by this function is different from the procedure used to deserialize valid field elements.
Thus, if the underlying data consists of valid field elements, it might make more sense to deserialize them into field elements and then hash them using hash_elements() function rather than hashing the serialized bytes using hash() function.
§Domain separation
merge_in_domain() hashes two digests into one digest with some domain identifier and the current implementation sets the second capacity element to the value of this domain identifier. Using a similar argument to the one formulated for domain separation in Appendix C of the specifications, one sees that doing so degrades only pre-image resistance, from its initial bound of c.log_2(p), by as much as the log_2 of the size of the domain identifier space. Since pre-image resistance becomes the bottleneck for the security bound of the sponge in overwrite-mode only when it is lower than 2^128, we see that the target 128-bit security level is maintained as long as the size of the domain identifier space, including for padding, is less than 2^128.
§Hashing of empty input
The current implementation hashes empty input to the zero digest [0, 0, 0, 0]. This has the benefit of requiring no calls to the RPX permutation when hashing empty input.
Implementations§
source§impl Rpx256
impl Rpx256
sourcepub const STATE_WIDTH: usize = 12usize
pub const STATE_WIDTH: usize = 12usize
Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and the remaining 4 elements are reserved for capacity.
sourcepub const RATE_RANGE: Range<usize> = RATE_RANGE
pub const RATE_RANGE: Range<usize> = RATE_RANGE
The rate portion of the state is located in elements 4 through 11 (inclusive).
sourcepub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE
pub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE
The capacity portion of the state is located in elements 0, 1, 2, and 3.
sourcepub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE
pub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE
The output of the hash function can be read from state elements 4, 5, 6, and 7.
sourcepub const MDS: [[Felt; 12]; 12] = MDS
pub const MDS: [[Felt; 12]; 12] = MDS
MDS matrix used for computing the linear layer in the (FB) and (E) rounds.
sourcepub const ARK1: [[Felt; 12]; 7] = ARK1
pub const ARK1: [[Felt; 12]; 7] = ARK1
Round constants added to the hasher state in the first half of the round.
sourcepub const ARK2: [[Felt; 12]; 7] = ARK2
pub const ARK2: [[Felt; 12]; 7] = ARK2
Round constants added to the hasher state in the second half of the round.
sourcepub fn merge(values: &[RpxDigest; 2]) -> RpxDigest
pub fn merge(values: &[RpxDigest; 2]) -> RpxDigest
Returns a hash of two digests. This method is intended for use in construction of Merkle trees and verification of Merkle paths.
sourcepub fn hash_elements<E: FieldElement<BaseField = Felt>>(
elements: &[E],
) -> RpxDigest
pub fn hash_elements<E: FieldElement<BaseField = Felt>>( elements: &[E], ) -> RpxDigest
Returns a hash of the provided field elements.
sourcepub fn merge_in_domain(values: &[RpxDigest; 2], domain: Felt) -> RpxDigest
pub fn merge_in_domain(values: &[RpxDigest; 2], domain: Felt) -> RpxDigest
Returns a hash of two digests and a domain identifier.
sourcepub fn apply_permutation(state: &mut [Felt; 12])
pub fn apply_permutation(state: &mut [Felt; 12])
Applies RPX permutation to the provided state.
sourcepub fn apply_fb_round(state: &mut [Felt; 12], round: usize)
pub fn apply_fb_round(state: &mut [Felt; 12], round: usize)
(FB) round function.
sourcepub fn apply_ext_round(state: &mut [Felt; 12], round: usize)
pub fn apply_ext_round(state: &mut [Felt; 12], round: usize)
(E) round function.
sourcepub fn apply_final_round(state: &mut [Felt; 12], round: usize)
pub fn apply_final_round(state: &mut [Felt; 12], round: usize)
(M) round function.
sourcepub fn exp7(x: CubeExtension<Felt>) -> CubeExtension<Felt>
pub fn exp7(x: CubeExtension<Felt>) -> CubeExtension<Felt>
Computes an exponentiation to the power 7 in cubic extension field.
Trait Implementations§
source§impl ElementHasher for Rpx256
impl ElementHasher for Rpx256
source§type BaseField = BaseElement
type BaseField = BaseElement
source§fn hash_elements<E: FieldElement<BaseField = Self::BaseField>>(
elements: &[E],
) -> Self::Digest
fn hash_elements<E: FieldElement<BaseField = Self::BaseField>>( elements: &[E], ) -> Self::Digest
source§impl Hasher for Rpx256
impl Hasher for Rpx256
impl Copy for Rpx256
impl Eq for Rpx256
impl StructuralPartialEq for Rpx256
Auto Trait Implementations§
impl Freeze for Rpx256
impl RefUnwindSafe for Rpx256
impl Send for Rpx256
impl Sync for Rpx256
impl Unpin for Rpx256
impl UnwindSafe for Rpx256
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§unsafe fn clone_to_uninit(&self, dst: *mut T)
unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)