Expand description
SHA-512 hash function (FIPS 180-4).
512-bit output, 1024-bit (128-byte) blocks, operates on 64-bit
words. Same Merkle-Damgård / round-mixer structure as
super::sha256, with 80 rounds and 64-bit additions
throughout.
§Side-channel posture
Unkeyed → not SCA-sensitive. Same CDPA caveat as SHA-256
when consumed by Ed25519 nonce derivation (r = H(prefix ‖ M) mod ℓ), HMAC-SHA-512, or RFC 6979 HMAC-DRBG-512:
the carry chain inside each 64-bit add is exploitable per
belenky2023_cdpa_hmac_sha2. Roadmap item T2-D ships a
masked variant when the sca-protected feature is enabled
(see arcana/doc/sca/countermeasures/hmac.rst).
Structs§
- Sha512
- SHA-512 hasher (FIPS 180-4). 512-bit output, 128-byte blocks.