Struct miden_crypto::hash::rpo::Rpo256
source · pub struct Rpo256(/* private fields */);
Expand description
Implementation of the Rescue Prime Optimized hash function with 256-bit output.
The hash function is implemented according to the Rescue Prime Optimized specifications
The parameters used to instantiate the function are:
- Field: 64-bit prime field with modulus 2^64 - 2^32 + 1.
- State width: 12 field elements.
- Capacity size: 4 field elements.
- Number of founds: 7.
- S-Box degree: 7.
The above parameters target 128-bit security level. The digest consists of four field elements and it can be serialized into 32 bytes (256 bits).
Hash output consistency
Functions hash_elements(), merge(), and merge_with_int() are internally consistent. That is, computing a hash for the same set of elements using these functions will always produce the same result. For example, merging two digests using merge() will produce the same result as hashing 8 elements which make up these digests using hash_elements() function.
However, hash() function is not consistent with functions mentioned above. For example, if we take two field elements, serialize them to bytes and hash them using hash(), the result will differ from the result obtained by hashing these elements directly using hash_elements() function. The reason for this difference is that hash() function needs to be able to handle arbitrary binary strings, which may or may not encode valid field elements - and thus, deserialization procedure used by this function is different from the procedure used to deserialize valid field elements.
Thus, if the underlying data consists of valid field elements, it might make more sense to deserialize them into field elements and then hash them using hash_elements() function rather then hashing the serialized bytes using hash() function.
Implementations§
source§impl Rpo256
impl Rpo256
sourcepub const NUM_ROUNDS: usize = 7usize
pub const NUM_ROUNDS: usize = 7usize
The number of rounds is set to 7 to target 128-bit security level.
sourcepub const STATE_WIDTH: usize = 12usize
pub const STATE_WIDTH: usize = 12usize
Sponge state is set to 12 field elements or 768 bytes; 8 elements are reserved for rate and the remaining 4 elements are reserved for capacity.
sourcepub const RATE_RANGE: Range<usize> = RATE_RANGE
pub const RATE_RANGE: Range<usize> = RATE_RANGE
The rate portion of the state is located in elements 4 through 11 (inclusive).
sourcepub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE
pub const CAPACITY_RANGE: Range<usize> = CAPACITY_RANGE
The capacity portion of the state is located in elements 0, 1, 2, and 3.
sourcepub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE
pub const DIGEST_RANGE: Range<usize> = DIGEST_RANGE
The output of the hash function can be read from state elements 4, 5, 6, and 7.
sourcepub const MDS: [[Felt; 12]; 12] = MDS
pub const MDS: [[Felt; 12]; 12] = MDS
MDS matrix used for computing the linear layer in a RPO round.
sourcepub const ARK1: [[Felt; 12]; 7] = ARK1
pub const ARK1: [[Felt; 12]; 7] = ARK1
Round constants added to the hasher state in the first half of the RPO round.
sourcepub const ARK2: [[Felt; 12]; 7] = ARK2
pub const ARK2: [[Felt; 12]; 7] = ARK2
Round constants added to the hasher state in the second half of the RPO round.
sourcepub fn merge(values: &[RpoDigest; 2]) -> RpoDigest
pub fn merge(values: &[RpoDigest; 2]) -> RpoDigest
Returns a hash of two digests. This method is intended for use in construction of Merkle trees and verification of Merkle paths.
sourcepub fn hash_elements<E: FieldElement<BaseField = Felt>>(
elements: &[E]
) -> RpoDigest
pub fn hash_elements<E: FieldElement<BaseField = Felt>>( elements: &[E] ) -> RpoDigest
Returns a hash of the provided field elements.
sourcepub fn merge_in_domain(values: &[RpoDigest; 2], domain: Felt) -> RpoDigest
pub fn merge_in_domain(values: &[RpoDigest; 2], domain: Felt) -> RpoDigest
Returns a hash of two digests and a domain identifier.
sourcepub fn apply_permutation(state: &mut [Felt; 12])
pub fn apply_permutation(state: &mut [Felt; 12])
Applies RPO permutation to the provided state.
sourcepub fn apply_round(state: &mut [Felt; 12], round: usize)
pub fn apply_round(state: &mut [Felt; 12], round: usize)
RPO round function.
Trait Implementations§
source§impl ElementHasher for Rpo256
impl ElementHasher for Rpo256
§type BaseField = BaseElement
type BaseField = BaseElement
source§fn hash_elements<E: FieldElement<BaseField = Self::BaseField>>(
elements: &[E]
) -> Self::Digest
fn hash_elements<E: FieldElement<BaseField = Self::BaseField>>( elements: &[E] ) -> Self::Digest
source§impl Hasher for Rpo256
impl Hasher for Rpo256
source§const COLLISION_RESISTANCE: u32 = 128u32
const COLLISION_RESISTANCE: u32 = 128u32
Rpo256 collision resistance is the same as the security level, that is 128-bits.
Collision resistance
However, our setup of the capacity registers might drop it to 126.
Related issue: #69