std::hash::Hasher can be derived for structs and is a standard hashing interface in rust. The standard interface only allows 64bit outputs but there's nothing stopping extra outpust tailored to specific hashes. So for ergonomic purposes wouldn't it make sense to have an adapter to allow using the Hasher API?

[This is a very large change which I haven't discussed with anyone yet, so I'm not sure it's the right choice for the project. But hopefully this is a good starting point for discussion.]

This is mostly a large performance improvement. The BLAKE2b bench_10000 case is improved by about 30%. This implementation also detects SIMD support at runtime, so the feature flags related to SIMD support are removed.

The only performance loss is in the bench_10 cases, where the caller repeatedly feeds input slices less than one block long. The BLAKE2s bench_10 case is almost 20% slower. I'm not sure exactly why, but this implementation optimizes for avoiding copies on long runs of input, so it might just be that it's doing more math up front. This performance issue disappears if the inputs are a full block or longer.

The only API consequence of this change is that the undocumented with_parameter_block constructor is no longer supported. Callers who need other parameters might prefer to use the blake2b_simd/blake2s_simd APIs directly, which expose them in a safer way through a Params object.

Sha3's shake mode should provides variable length output determined at runtime, but it's currently a user defined type level numeric. I'd think the OutputSize type of the Digest trait should be replaced by a Output type to fix this, but I have no looked into doing it.

It would be handy to have some access to internals of e.g. SHA256/512, Blake2 family and Sha3 family to be able to manually update a state by "absorbing" a proper rate in every case. All hash families named above anyway follow a logic that some internal state is updated by processing potentially >1 round, but each round only a fixed amount of bytes is processed.

To clarify - such trait can even be made "unsafe" as the caller would be responsible to:

• somehow create an "empty" state (that would be great to have as a part of the trait if "raw" internal state is not pub. By "raw" I mean e.g. 512 bits of internal state of Sha256 without any extra information such as what length was processed before this point, etc)
• call "round function" as many times as necessary, ideally using [u8; RATE] as an input, but in principle for e.g. Sha3 family [u64; RATE_IN_WORDS] may be ok. For whatever reason caller uses such a functionality, he would have to take care of all the paddings!
• take a "state" and either provide some as_ref() for it to be able to take inner information to produce a final hash value manually (caller is 100% responsible) or (more convenient, but more work and a lot of diversities here) have some "into_hash(state)" function that would produce a hash from the state (functions with extendable output are out of the scope of this feature request, so it's kind of expected that final state will be used only once)

It may be possible to use some feature flags, and e.g. just expose a raw "compress" function for sha256 and do it all by hands (not sure about other families if their internals are exposed to the necessary degree under feature flags), but consistent way for cases where such workflow is possible would be great (and will allow to avoid forking and butchering a crate to just add more pub)

This partly addresses issue #13.

This RIPEMD-320 implementation is based on the existing RIPEMD-160 implementation. It would be possible and relatively easy to refactor code to avoid so much duplication, but making this a separate crate breaks less code and makes it easy to add.

RIPEMD-160 and RIPEMD-320 also share a similar relationship as RIPEMD-128 and RIPEMD-256 do. A quick diff between RIPEMD-160 and RIPEMD-320 implementations should be useful anyone writing RIPEMD-128/256.

I don't know if that's OK with regard to the conventions in place, but in the tests I drew some samples from the RIPEMD-160 webpage[1] that describes expected hashes for some strings.

Also, I have uploaded a 0.8.0-rc1 version to crates.io (under the name ripemd320). If/when you can merge this into master and publish, please ping me so I can give you access and optionally yank the rc1.

[1] https://homes.esat.kuleuven.be/~bosselae/ripemd160.html

Currently, this results in a value of GenericArray<u8, _>:

let input = String::from("hello");

let mut hasher = Sha512::new();
hasher.update(input);
let hash_result = hasher.finalize();

However, what I need is not a byte array but a String as output. I tried converting it with std::str::from_utf8(&hash_result[..]) but that errors out with Err(Utf8Error { valid_up_to: 0, error_len: Some(1) }) as an error value. This seems weird to me since the hash should be a hexadecimal string, but that's what I observed.

How can I get a valid UTF-8 string from hash_result?

It looks like some crates want a D: Digest<OutputSize = U64> + Default as an argument to what hash to use, so that VarBlake2b is not very useful on it's own. Eg. https://github.com/dalek-cryptography/ed25519-dalek/issues/59

I could write my own wrapper, but if I need it, other people will, too.

@mitsuhiko has kindly transferred ownership of sha1 to us, so now we can publish our implementation under it instead of using sha-1.

For user convenience, we will skip v0.7-v0.9 and will release sha1 v0.10.0, so the version will be synchronized with sha-1. I plan to continue releasing v0.10.x patch versions for sha-1 in parallel with sha1 and deprecate it only after sha1 v0.11 will be released.

This is not optimal yet when processing multiple blocks, but it does give a considerable speedup over the non intrinsic version already

Measurements were taken on an AMD Ryzen 7 3700X 8-Core.

Baseline

test bench1_10    ... bench:          36 ns/iter (+/- 0) = 277 MB/s
test bench2_100   ... bench:         314 ns/iter (+/- 4) = 318 MB/s
test bench3_1000  ... bench:       3,096 ns/iter (+/- 16) = 322 MB/s
test bench4_10000 ... bench:      30,935 ns/iter (+/- 297) = 323 MB/s

With asm-hashes

test bench1_10    ... bench:          33 ns/iter (+/- 0) = 303 MB/s
test bench2_100   ... bench:         291 ns/iter (+/- 1) = 343 MB/s
test bench3_1000  ... bench:       2,863 ns/iter (+/- 14) = 349 MB/s
test bench4_10000 ... bench:      28,597 ns/iter (+/- 191) = 349 MB/s

With Intrinsics

test bench1_10    ... bench:           8 ns/iter (+/- 0) = 1250 MB/s
test bench2_100   ... bench:          54 ns/iter (+/- 0) = 1851 MB/s
test bench3_1000  ... bench:         511 ns/iter (+/- 8) = 1956 MB/s
test bench4_10000 ... bench:       5,079 ns/iter (+/- 29) = 1968 MB/s

Hey, I'm very new to Rust so I apologize if this turns out to be a language misunderstanding rather than a package issue...

I'm trying to dynamically create instances of algorithm structs that implement the Digest trait, hold on to them using a Box<Digest>, and interact with them via the Digest interface.

In other words, something like this:

let hasher = match "one of the algorithms" {
    "sha256" => Box::new(Sha256::new()) as Box<Digest>,
    "sha512" => Box::new(Sha512::new()) as Box<Digest>
    // ... etc
};

I sort of get why that doesn't work (missing associated types), but even if I fill those in like:

"sha256" => Box::new(Sha256::new()) as Box<Digest<<OutputSize=U32, BlockSize=U64>>>,

I'm still left with an error: the trait 'digest::Digest' cannot be made into an object.

After poking around it seemed like this might be because of the way Digest was implemented? Looking at the docs it doesn't seem to have any static methods, but maybe it does or there's something else I'm missing?

Again, sorry to bother you with this!

Sacundim in his feedback on the reddit proposed to use instead of VariableOutput the following traits:

• ExtendableOutput for functions like SHAKE from SHA-3, which allow to "read" indefinitely from the result
• VariableOutput for functions like Groestl, which have some limits on the output size and may require output size to be known at state initalization

Also @burdges proposed to move out BlockSize from the Input trait to a separate one.

For someone new to the ecosystem it might be hard to tell how to use a... For example, sha3::Keccak256 (https://docs.rs/sha3/latest/sha3/type.Keccak256.html), it's just a type alias with no real info about what it is (other than some nebulous "hasher state") or how to use it. I'd recommend linking to the Digest trait in the docs as a way of explaining "how to use it"

Additionally (if I should move this to a separate issue, let me know and I will do so) I would recommend an example specifically showing how to sha3::Keccak256::digest(b"a message") in one go. Finally, the example(s) that use update should add more than one message. This would be so that show new user why you would use new and then update rather than digest ("because you can add more than one thing").

I would be willing to create the examples / documentation if this would be agreeable

I ran blake2 tests with and without simd feature enabled and found that behavior is strange and doesn't make a lot of sense.

Default (no simd):

$ cargo +nightly bench
...
running 8 tests
test blake2b512_10    ... bench:           8 ns/iter (+/- 0) = 1250 MB/s
test blake2b512_100   ... bench:          74 ns/iter (+/- 4) = 1351 MB/s
test blake2b512_1000  ... bench:         708 ns/iter (+/- 85) = 1412 MB/s
test blake2b512_10000 ... bench:       7,005 ns/iter (+/- 531) = 1427 MB/s
test blake2s256_10    ... bench:          13 ns/iter (+/- 0) = 769 MB/s
test blake2s256_100   ... bench:         121 ns/iter (+/- 7) = 826 MB/s
test blake2s256_1000  ... bench:       1,155 ns/iter (+/- 62) = 865 MB/s
test blake2s256_10000 ... bench:      11,791 ns/iter (+/- 1,005) = 848 MB/s

test result: ok. 0 passed; 0 failed; 0 ignored; 8 measured; 0 filtered out; finished in 28.22s

Simd:

$ cargo +nightly bench --features simd
...
running 8 tests
test blake2b512_10    ... bench:          11 ns/iter (+/- 0) = 909 MB/s
test blake2b512_100   ... bench:         102 ns/iter (+/- 0) = 980 MB/s
test blake2b512_1000  ... bench:       1,010 ns/iter (+/- 11) = 990 MB/s
test blake2b512_10000 ... bench:      10,076 ns/iter (+/- 68) = 992 MB/s
test blake2s256_10    ... bench:          16 ns/iter (+/- 0) = 625 MB/s
test blake2s256_100   ... bench:         152 ns/iter (+/- 1) = 657 MB/s
test blake2s256_1000  ... bench:       1,483 ns/iter (+/- 12) = 674 MB/s
test blake2s256_10000 ... bench:      14,750 ns/iter (+/- 344) = 677 MB/s

test result: ok. 0 passed; 0 failed; 0 ignored; 8 measured; 0 filtered out; finished in 2.43s

I expected simd version to produce better results and judging by the total execution time it is the case, but throughput reported by the benchmark says the opposite.

I suspect something is wrong with benchmarking code.

Using latest master (cc523733e5ba84b5a366825a7d1150bbbfea368b right now) and rustc 1.65.0-nightly (20ffea693 2022-08-11).

Not sure if this is a feature request or a question...

I was previously using the blake2-rfc crate and now I want to migrate to the blake2 crate. However previously I was using the Blake2b::with_key constructor (as per https://docs.rs/blake2-rfc/0.2.18/blake2_rfc/blake2b/struct.Blake2b.html#method.with_key) and I can't seem to find the proper equivalent in case of the blake2 crate.

There seems to exist Blake2bVarCore::new_with_params (as per https://docs.rs/blake2/0.10.2/blake2/struct.Blake2bVarCore.html#method.new_with_params), however I can't seem to convert that into a Blake2bVar (which I need to get variable hash output).

Based on the current blake2b implementation, it seems I should be able to just replace the core member of the Blake2bVar with the Blake2bVarCore instance, which indeed works if I "hack my way" by using pointers. However there is no "official" (as per the public API) way of doing this.

A simple From implementation, or even an unsafe constructor that takes a Blake2bVarCore and yields a Blake2bVar would seem to suffice.

The k12 crate had its own keccak-p permutation implementation. With https://github.com/RustCrypto/sponges/pull/7 a generic keccak-p implementation would be available, which could be used within the k12 crate.

Depends on

• [ ] https://github.com/RustCrypto/sponges/pull/7
• [ ] and a new release of the keccak crate ;)