Expand description
SHA-256 hash function (FIPS 180-4).
256-bit output, 512-bit (64-byte) blocks, Merkle-Damgård
construction with the standard Ch / Maj / Σ₀ / Σ₁ /
σ₀ / σ₁ round mixers.
§Side-channel posture
As an unkeyed hash, SHA-256 is itself not SCA-sensitive; it has no secret input. The compression function is CT by construction — fixed-iteration loop, constant rotations / shifts, no table lookups indexed by secret-derived values.
As a keyed primitive consumed by HMAC, RFC 6979 HMAC-DRBG,
or RSA-PSS / OAEP MGF1, the same compression function carries
a secret into its internal state and becomes vulnerable to
the carry-based DPA result of belenky2023_cdpa_hmac_sha2
(TCHES 2023/3) — any arithmetic-addition-based hash leaks the
key in 30 K – 275 K traces. Roadmap item T2-D (see
arcana/doc/sca/countermeasures/hmac.rst) ships a
MaskedSha256 variant behind the sca-protected feature.
Structs§
- Sha256
- SHA-256 hasher (FIPS 180-4). 256-bit output, 64-byte blocks.