ascon-hash256: refactor code and split XOF into ascon-xof128 crate

.github/workflows/publish.yml

@@ -3,6 +3,7 @@ on:
   push:
     tags: [
       'ascon-hash256-v*',
+      'ascon-xof128-v*',
       'bash-hash-v*',
       'belt-hash-v*',
       'blake2-v*',

Cargo.toml

@@ -2,6 +2,7 @@
 resolver = "3"
 members = [
     "ascon-hash256",
+    "ascon-xof128",
     "bash-hash",
     "belt-hash",
     "blake2",

README.md

@@ -17,7 +17,8 @@ easily used for bare-metal or WebAssembly programming by disabling default crate
 
 | Algorithm | Crate | Crates.io | Documentation | MSRV | [Security] |
 |-----------|-------|:---------:|:-------------:|:----:|:----------:|
-| [Ascon] hash | [`ascon‑hash256`] | [![crates.io](https://img.shields.io/crates/v/ascon-hash256.svg)](https://crates.io/crates/ascon-hash256) | [![Documentation](https://docs.rs/ascon-hash256/badge.svg)](https://docs.rs/ascon-hash256) | 1.85 | :green_heart: |
+| [Ascon-Hash256] | [`ascon-hash256`] | [![crates.io](https://img.shields.io/crates/v/ascon-hash256.svg)](https://crates.io/crates/ascon-hash256) | [![Documentation](https://docs.rs/ascon-hash256/badge.svg)](https://docs.rs/ascon-hash256) | 1.85 | :green_heart: |
+| [Ascon-XOF128] | [`ascon-xof128`] | [![crates.io](https://img.shields.io/crates/v/ascon-xof128.svg)](https://crates.io/crates/ascon-xof128) | [![Documentation](https://docs.rs/ascon-xof128/badge.svg)](https://docs.rs/ascon-xof128) | 1.85 | :green_heart: |
 | [Bash] hash | [`bash‑hash`] | [![crates.io](https://img.shields.io/crates/v/bash-hash.svg)](https://crates.io/crates/bash-hash) | [![Documentation](https://docs.rs/bash-hash/badge.svg)](https://docs.rs/bash-hash) | 1.85 | :green_heart: |
 | [BelT] hash | [`belt‑hash`] | [![crates.io](https://img.shields.io/crates/v/belt-hash.svg)](https://crates.io/crates/belt-hash) | [![Documentation](https://docs.rs/belt-hash/badge.svg)](https://docs.rs/belt-hash) | 1.85 | :green_heart: |
 | [BLAKE2] | [`blake2`] | [![crates.io](https://img.shields.io/crates/v/blake2.svg)](https://crates.io/crates/blake2) | [![Documentation](https://docs.rs/blake2/badge.svg)](https://docs.rs/blake2) | 1.85 | :green_heart: |
@@ -93,6 +94,7 @@ Unless you explicitly state otherwise, any contribution intentionally submitted
 [//]: # (crates)
 
 [`ascon‑hash256`]: ./ascon-hash256
+[`ascon‑xof128`]: ./ascon-xof128
 [`bash‑hash`]: ./bash-hash
 [`belt‑hash`]: ./belt-hash
 [`blake2`]: ./blake2
@@ -138,7 +140,8 @@ Unless you explicitly state otherwise, any contribution intentionally submitted
 
 [//]: # (algorithms)
 
-[Ascon]: https://ascon.iaik.tugraz.at
+[Ascon-Hash256]: https://doi.org/10.6028/NIST.SP.800-232.ipd
+[Ascon-Xof128]: https://doi.org/10.6028/NIST.SP.800-232.ipd
 [Bash]: https://apmi.bsu.by/assets/files/std/bash-spec241.pdf
 [BelT]: https://ru.wikipedia.org/wiki/BelT
 [BLAKE2]: https://en.wikipedia.org/wiki/BLAKE_(hash_function)#BLAKE2

ascon-hash256/CHANGELOG.md

@@ -2,4 +2,9 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## 0.1.0 (UNRELEASED)
+- Initial release ([#841])
+
+[#841]: https://github.com/RustCrypto/hashes/pull/841

ascon-hash256/Cargo.toml

@@ -14,17 +14,16 @@ description = "Implementation of Ascon-Hash256 and Ascon-XOF256"
 
 [dependencies]
 digest = "0.11"
-ascon = { version = "0.5.0-rc.0", default-features = false }
+ascon = "0.5"
 
 [dev-dependencies]
-spectral = { version = "0.6", default-features = false }
-hex = "0.4"
+digest = { version = "0.11", features = ["dev"] }
 hex-literal = "1"
 
 [features]
 default = ["alloc"]
 alloc = ["digest/alloc"]
-zeroize = ["ascon/zeroize", "digest/zeroize"]
+zeroize = ["digest/zeroize"]
 
 [package.metadata.docs.rs]
 all-features = true

ascon-hash256/LICENSE-MIT

@@ -1,5 +1,4 @@
-Copyright (c) 2023-2026 The RustCrypto Project Developers
-Copyright (c) 2022-2023 Sebastian Ramacher <sebastian.ramacher@ait.ac.at>
+Copyright (c) 2026 The RustCrypto Project Developers
 
 Permission is hereby granted, free of charge, to any
 person obtaining a copy of this software and associated

ascon-hash256/README.md

@@ -1,4 +1,4 @@
-# RustCrypto: Ascon-Hash256 and Ascon-XOF128
+# RustCrypto: Ascon-Hash256
 
 [![crate][crate-image]][crate-link]
 [![Docs][docs-image]][docs-link]
@@ -7,17 +7,10 @@
 ![Rust Version][rustc-image]
 [![Project Chat][chat-image]][chat-link]
 
-Pure Rust implementation of the lightweight cryptographic hash function [Ascon-Hash256][1] and the
-extendable output functions (XOF) Ascon-XOF128.
-
-## Security Notes
-
-No security audits of this crate have ever been performed.
-
-USE AT YOUR OWN RISK!
+Pure Rust implementation of the [Ascon-Hash256] cryptographic hash function.
 
 ## Examples
-Fixed output size hashing:
+
 ```rust
 use ascon_hash256::{AsconHash256, Digest};
 use hex_literal::hex;
@@ -29,19 +22,6 @@ let hash = hasher.finalize();
 assert_eq!(hash, hex!("e909c2f6da9cb3028423265c8f23fc2d26bfc0f3db704683ef16b787a945ed68"));
 ```
 
-XOF hashing:
-```rust
-use ascon_hash256::{AsconXof128, ExtendableOutput, Update, XofReader};
-use hex_literal::hex;
-
-let mut xof = AsconXof128::default();
-xof.update(b"some bytes");
-let mut reader = xof.finalize_xof();
-let mut dst = [0u8; 5];
-reader.read(&mut dst);
-assert_eq!(dst, hex!("8c7dd114a0"));
-```
-
 See the [`digest`] crate docs for additional examples.
 
 ## License
@@ -74,5 +54,5 @@ dual licensed as above, without any additional terms or conditions.
 
 [//]: # (general links)
 
-[1]: https://doi.org/10.6028/NIST.SP.800-232.ipd
+[Ascon-Hash256]: https://doi.org/10.6028/NIST.SP.800-232.ipd
 [`digest`]: https://docs.rs/digest

ascon-hash256/benches/mod.rs

@@ -0,0 +1,13 @@
+#![feature(test)]
+extern crate test;
+
+use digest::bench_update;
+use test::Bencher;
+
+bench_update!(
+    ascon_hash256::AsconHash256::default();
+    ascon_hash256_10 10;
+    ascon_hash256_100 100;
+    ascon_hash256_1000 1000;
+    ascon_hash256_10000 10000;
+);

ascon-hash256/src/block_api.rs

@@ -0,0 +1,130 @@
+use ascon::State;
+use digest::{
+    HashMarker, Output, OutputSizeUser, Reset,
+    block_api::{
+        AlgorithmName, Block, BlockSizeUser, Buffer, BufferKindUser, Eager, FixedOutputCore,
+        UpdateCore,
+    },
+    common::hazmat::{DeserializeStateError, SerializableState, SerializedState},
+    consts::{U8, U32, U40},
+};
+
+const IV: u64 = 0x0000_0801_00CC_0002;
+
+/// Initial state of Ascon-Hash256
+const INIT_STATE: State = {
+    let mut state = [IV, 0, 0, 0, 0];
+    ascon::permute12(&mut state);
+    state
+};
+
+/// Ascon-Hash256 block-level hasher
+#[derive(Clone, Debug)]
+pub struct AsconHash256Core {
+    state: State,
+}
+
+impl Default for AsconHash256Core {
+    #[inline]
+    fn default() -> Self {
+        Self { state: INIT_STATE }
+    }
+}
+
+impl HashMarker for AsconHash256Core {}
+
+impl BlockSizeUser for AsconHash256Core {
+    type BlockSize = U8;
+}
+
+impl BufferKindUser for AsconHash256Core {
+    type BufferKind = Eager;
+}
+
+impl OutputSizeUser for AsconHash256Core {
+    type OutputSize = U32;
+}
+
+impl UpdateCore for AsconHash256Core {
+    #[inline]
+    fn update_blocks(&mut self, blocks: &[Block<Self>]) {
+        for block in blocks {
+            self.state[0] ^= u64::from_le_bytes(block.0);
+            ascon::permute12(&mut self.state);
+        }
+    }
+}
+
+impl FixedOutputCore for AsconHash256Core {
+    #[inline]
+    fn finalize_fixed_core(&mut self, buffer: &mut Buffer<Self>, out: &mut Output<Self>) {
+        let len = buffer.get_pos();
+        let last_block = buffer.pad_with_zeros();
+        let pad = 1u64 << (8 * len);
+        self.state[0] ^= u64::from_le_bytes(last_block.0) ^ pad;
+
+        ascon::permute12(&mut self.state);
+
+        let mut chunks = out.chunks_exact_mut(size_of::<u64>());
+        for chunk in &mut chunks {
+            chunk.copy_from_slice(&self.state[0].to_le_bytes());
+            ascon::permute12(&mut self.state);
+        }
+        assert!(chunks.into_remainder().is_empty());
+    }
+}
+
+impl Reset for AsconHash256Core {
+    #[inline]
+    fn reset(&mut self) {
+        self.state = INIT_STATE;
+    }
+}
+
+impl AlgorithmName for AsconHash256Core {
+    #[inline]
+    fn write_alg_name(f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        f.write_str("Ascon-Hash256")
+    }
+}
+
+impl SerializableState for AsconHash256Core {
+    type SerializedStateSize = U40;
+
+    #[inline]
+    fn serialize(&self) -> SerializedState<Self> {
+        let mut res = SerializedState::<Self>::default();
+        let mut chunks = res.chunks_exact_mut(size_of::<u64>());
+        for (src, dst) in self.state.iter().zip(&mut chunks) {
+            dst.copy_from_slice(&src.to_le_bytes());
+        }
+        assert!(chunks.into_remainder().is_empty());
+        res
+    }
+
+    #[inline]
+    fn deserialize(
+        serialized_state: &SerializedState<Self>,
+    ) -> Result<Self, DeserializeStateError> {
+        let state = core::array::from_fn(|i| {
+            let n = size_of::<u64>();
+            let chunk = &serialized_state[n * i..][..n];
+            u64::from_le_bytes(chunk.try_into().expect("chunk has correct length"))
+        });
+        Ok(Self { state })
+    }
+}
+
+impl Drop for AsconHash256Core {
+    #[inline]
+    fn drop(&mut self) {
+        #[cfg(feature = "zeroize")]
+        {
+            use digest::zeroize::Zeroize;
+            self.state.zeroize()
+        }
+    }
+}
+
+#[cfg(feature = "zeroize")]
+impl digest::zeroize::ZeroizeOnDrop for AsconHash256Core {}