Sponge state remapping

CHANGELOG.md

@@ -4,6 +4,7 @@
 - Use more idiomatic Plonky3 APIs ([#743](https://github.com/0xMiden/crypto/pull/743)).
 - Make concurrent feature interact with plonky3's parallel features, replace homegrown iterator macros with p3-maybe-rayon ([#749](https://github.com/0xMiden/crypto/pull/749)).
 - Reduce dependency on std in tests, add test helpers to access Rngs in no-std contexts ([#752](https://github.com/0xMiden/crypto/pull/752)).
+- [BREAKING] Changed sponge state layout from `[CAPACITY, RATE1, RATE0]` (BE) to `[RATE0, RATE1, CAPACITY]` (LE) ([#755](https://github.com/0xMiden/crypto/pull/755)).
 
 # 0.20.1 (2025-12-29)
 

miden-crypto/src/aead/aead_rpo/mod.rs

@@ -528,7 +528,7 @@ impl SpongeState {
         squeezed_data
     }
 
-    /// Squeezes an authentication tag
+    /// Squeezes an authentication tag (from RATE0, the first rate word)
     fn squeeze_tag(&mut self) -> AuthTag {
         self.permute();
         AuthTag(

miden-crypto/src/dsa/falcon512_rpo/tests/data.rs

@@ -1755,60 +1755,59 @@ pub(crate) static SK_POLYS: [[[i16; 512]; 4]; NUM_TEST_VECTORS] = [
 /// Serialized deterministic RPO-Falcon-512 signature intended for use as a test vector
 /// for the determinism in the signing procedure across platforms.
 ///
-/// This was generated on an `Intel Core i5-8279U` running on Linux kernel `5.4.0-144-generic` and
-/// built with Rust `1.88.0`.
+/// This was generated on an `M4` running on `Sequoia 15.7` and built with Rust `1.90.0`.
 pub(crate) const DETERMINISTIC_SIGNATURE: [u8; SIG_SERIALIZED_LEN] = [
-    185, 1, 22, 144, 158, 211, 85, 196, 199, 194, 123, 220, 135, 121, 154, 120, 141, 154, 66, 32,
-    56, 47, 239, 41, 38, 121, 124, 172, 190, 21, 238, 237, 69, 36, 36, 245, 63, 146, 222, 205, 107,
-    153, 60, 69, 60, 10, 91, 243, 160, 222, 120, 21, 132, 54, 134, 200, 184, 209, 102, 174, 244,
-    236, 77, 155, 224, 162, 181, 104, 251, 8, 40, 30, 9, 14, 184, 153, 181, 189, 100, 74, 238, 146,
-    99, 20, 84, 157, 181, 82, 118, 220, 172, 2, 233, 176, 72, 241, 169, 13, 245, 117, 157, 112, 30,
-    76, 218, 217, 199, 73, 94, 220, 50, 113, 143, 125, 218, 52, 196, 133, 90, 209, 27, 230, 125,
-    153, 181, 235, 98, 178, 151, 63, 190, 194, 43, 186, 139, 54, 38, 8, 203, 17, 91, 137, 246, 187,
-    114, 179, 210, 11, 61, 177, 55, 129, 172, 18, 200, 29, 53, 203, 254, 78, 168, 251, 249, 209, 1,
-    103, 177, 6, 28, 222, 220, 220, 55, 158, 166, 228, 43, 183, 31, 38, 32, 174, 174, 113, 247,
-    108, 148, 225, 245, 15, 228, 225, 234, 160, 25, 161, 201, 189, 147, 158, 12, 249, 57, 71, 113,
-    17, 104, 43, 187, 53, 240, 35, 244, 54, 198, 79, 88, 154, 133, 242, 85, 168, 180, 233, 161,
-    103, 77, 75, 161, 81, 33, 75, 155, 10, 247, 73, 46, 24, 55, 237, 87, 219, 83, 17, 138, 226, 41,
-    250, 159, 229, 73, 94, 89, 161, 70, 82, 45, 13, 193, 6, 33, 70, 127, 181, 120, 203, 81, 171,
-    39, 166, 31, 201, 41, 65, 240, 178, 93, 136, 58, 71, 147, 38, 27, 204, 158, 63, 123, 120, 81,
-    136, 101, 47, 63, 22, 238, 79, 226, 137, 126, 71, 217, 53, 217, 204, 96, 108, 222, 34, 161, 31,
-    162, 42, 186, 101, 139, 61, 37, 97, 145, 133, 179, 65, 163, 79, 87, 19, 49, 80, 126, 112, 246,
-    92, 214, 184, 153, 247, 246, 187, 199, 133, 116, 184, 45, 223, 6, 33, 101, 117, 101, 227, 207,
-    127, 238, 91, 114, 134, 53, 127, 98, 204, 219, 219, 168, 136, 63, 210, 153, 218, 186, 138, 170,
-    76, 215, 67, 34, 132, 146, 12, 38, 42, 149, 76, 172, 209, 231, 24, 77, 212, 205, 171, 235, 236,
-    159, 220, 92, 62, 9, 164, 54, 49, 51, 192, 47, 238, 3, 229, 98, 26, 100, 47, 101, 132, 194, 8,
-    142, 141, 173, 107, 191, 102, 19, 181, 209, 71, 168, 61, 175, 33, 37, 125, 37, 203, 19, 116,
-    144, 176, 55, 4, 165, 47, 238, 101, 20, 131, 197, 146, 167, 222, 185, 140, 132, 80, 128, 226,
-    150, 93, 203, 160, 196, 162, 141, 105, 190, 50, 92, 98, 31, 136, 102, 46, 24, 153, 6, 55, 78,
-    135, 146, 24, 147, 221, 31, 74, 189, 115, 157, 83, 74, 147, 64, 255, 204, 79, 255, 31, 74, 65,
-    143, 115, 35, 72, 59, 244, 26, 130, 173, 69, 96, 26, 215, 61, 97, 41, 69, 236, 230, 105, 119,
-    30, 220, 90, 128, 250, 48, 134, 130, 205, 142, 196, 49, 184, 190, 101, 220, 199, 168, 217, 105,
-    242, 157, 100, 135, 163, 156, 205, 172, 241, 35, 148, 124, 244, 45, 97, 213, 114, 55, 10, 126,
-    117, 173, 135, 77, 239, 135, 58, 68, 243, 200, 222, 100, 52, 219, 26, 19, 217, 109, 32, 39,
-    118, 130, 139, 38, 101, 231, 38, 126, 228, 20, 197, 91, 211, 248, 253, 74, 27, 201, 4, 52, 158,
-    38, 116, 79, 62, 17, 107, 99, 75, 166, 247, 119, 31, 140, 97, 229, 48, 73, 179, 23, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 9, 155, 125, 185, 64, 84, 225, 93, 95, 10, 178, 100, 198, 160, 180, 110, 66,
-    53, 41, 212, 204, 170, 160, 237, 167, 160, 122, 168, 168, 68, 93, 180, 2, 255, 84, 191, 48,
-    157, 91, 57, 228, 201, 192, 75, 145, 62, 104, 175, 135, 156, 9, 128, 122, 1, 210, 73, 150, 34,
-    200, 59, 228, 99, 89, 40, 54, 25, 217, 86, 245, 170, 187, 28, 224, 144, 102, 208, 225, 180,
-    106, 60, 184, 144, 29, 213, 222, 166, 45, 212, 135, 24, 164, 201, 83, 26, 181, 36, 130, 38,
-    173, 109, 97, 235, 192, 26, 43, 248, 157, 36, 62, 182, 118, 28, 234, 32, 6, 171, 179, 224, 30,
-    170, 75, 80, 101, 228, 221, 195, 238, 144, 170, 6, 57, 109, 171, 41, 157, 234, 0, 103, 243,
-    207, 105, 76, 164, 83, 35, 27, 73, 134, 177, 241, 38, 98, 86, 16, 200, 61, 190, 53, 115, 49,
-    157, 169, 143, 109, 119, 196, 109, 151, 31, 54, 94, 22, 246, 174, 164, 162, 173, 60, 74, 18,
-    220, 166, 122, 176, 32, 166, 107, 100, 229, 32, 161, 185, 210, 8, 49, 230, 61, 184, 212, 197,
-    41, 114, 239, 214, 114, 177, 9, 39, 254, 197, 24, 151, 86, 141, 25, 206, 200, 146, 167, 36, 29,
-    224, 66, 141, 123, 73, 246, 49, 80, 207, 109, 160, 72, 249, 70, 164, 10, 211, 190, 15, 104,
-    147, 186, 216, 202, 251, 27, 246, 250, 104, 57, 91, 119, 19, 98, 173, 247, 70, 85, 8, 13, 70,
-    69, 120, 52, 21, 87, 112, 50, 11, 75, 213, 167, 79, 42, 106, 58, 250, 77, 12, 133, 174, 108,
-    113, 82, 17, 17, 98, 126, 97, 172, 87, 218, 221, 79, 84, 113, 33, 148, 62, 105, 150, 66, 152,
-    153, 39, 237, 96, 75, 81, 1, 56, 6, 98, 92, 138, 114, 242, 189, 40, 38, 197, 118, 96, 130, 145,
-    229, 138, 153, 44, 49, 89, 120, 209, 167, 205, 202, 28, 65, 174, 219, 125, 99, 31, 88, 48, 254,
-    227, 34, 88, 138, 138, 60, 144, 106, 148, 158, 248, 154, 181, 53, 3, 45, 233, 164, 68, 80, 207,
-    42, 209, 157, 159, 128, 94, 241, 55, 166, 231, 115, 130, 41, 132, 19, 135, 225, 120, 36, 101,
-    204, 210, 161, 84, 197, 63, 5, 36, 178, 4, 229, 237, 43, 49, 212, 80, 219, 20, 172, 182, 189,
-    9, 193, 112, 73, 63, 37, 148, 148, 184, 201, 96, 83, 62, 32, 186, 249, 54, 103, 208, 112, 216,
+    185, 1, 49, 100, 34, 177, 39, 53, 190, 227, 187, 229, 174, 59, 206, 209, 55, 168, 94, 121, 223,
+    102, 175, 213, 188, 26, 185, 233, 198, 252, 249, 138, 82, 22, 171, 253, 118, 25, 164, 99, 187,
+    36, 109, 69, 198, 5, 16, 70, 234, 156, 145, 45, 71, 247, 255, 137, 71, 108, 215, 161, 85, 46,
+    110, 45, 26, 71, 171, 47, 181, 153, 48, 142, 250, 169, 149, 108, 193, 17, 239, 43, 255, 253,
+    190, 217, 63, 139, 49, 228, 103, 101, 201, 241, 236, 162, 110, 246, 146, 195, 202, 159, 63,
+    237, 121, 235, 235, 216, 41, 27, 127, 141, 61, 13, 41, 133, 97, 80, 207, 33, 90, 59, 250, 95,
+    240, 34, 95, 25, 43, 115, 31, 51, 124, 214, 88, 143, 111, 143, 65, 29, 175, 167, 200, 233, 68,
+    194, 224, 232, 184, 183, 95, 49, 65, 81, 81, 9, 82, 27, 60, 196, 39, 103, 33, 209, 97, 88, 92,
+    214, 121, 201, 66, 191, 172, 175, 76, 165, 196, 191, 205, 5, 147, 179, 11, 173, 36, 186, 173,
+    211, 229, 41, 235, 251, 245, 44, 234, 164, 157, 66, 166, 146, 187, 156, 43, 23, 184, 108, 107,
+    30, 45, 252, 98, 185, 136, 152, 185, 94, 120, 149, 133, 200, 96, 255, 188, 183, 9, 122, 52,
+    220, 92, 171, 53, 43, 119, 97, 73, 36, 69, 194, 117, 179, 10, 158, 180, 173, 216, 34, 147, 150,
+    73, 137, 38, 104, 147, 147, 128, 76, 28, 9, 134, 72, 86, 33, 109, 238, 37, 19, 189, 248, 222,
+    221, 252, 185, 150, 102, 200, 66, 208, 254, 154, 102, 110, 46, 180, 253, 181, 90, 136, 15, 15,
+    99, 250, 71, 8, 41, 206, 249, 247, 177, 87, 27, 246, 193, 91, 240, 148, 39, 138, 141, 166, 109,
+    36, 20, 109, 14, 103, 47, 30, 48, 13, 38, 188, 151, 233, 74, 148, 7, 147, 132, 238, 106, 86,
+    146, 36, 206, 56, 89, 102, 213, 66, 84, 151, 47, 116, 223, 164, 206, 177, 164, 17, 55, 231, 93,
+    236, 115, 92, 161, 28, 171, 33, 153, 86, 140, 123, 224, 201, 107, 121, 129, 63, 212, 221, 148,
+    62, 172, 44, 184, 103, 217, 88, 67, 173, 172, 42, 115, 151, 179, 29, 118, 114, 186, 202, 80,
+    153, 89, 92, 81, 0, 74, 55, 201, 247, 54, 90, 199, 243, 119, 172, 31, 15, 182, 170, 200, 127,
+    183, 91, 189, 237, 241, 154, 248, 229, 16, 117, 149, 15, 79, 156, 246, 160, 147, 77, 38, 144,
+    194, 119, 69, 131, 46, 23, 185, 43, 66, 194, 77, 185, 30, 206, 92, 4, 218, 161, 156, 24, 54,
+    238, 89, 201, 37, 148, 39, 185, 89, 137, 206, 171, 148, 189, 181, 185, 205, 168, 104, 182, 93,
+    82, 17, 77, 143, 31, 188, 108, 11, 168, 116, 147, 166, 55, 160, 209, 153, 5, 146, 59, 46, 231,
+    219, 112, 200, 110, 9, 148, 200, 94, 93, 247, 234, 48, 90, 88, 104, 34, 18, 120, 235, 25, 231,
+    42, 156, 145, 165, 233, 143, 17, 227, 155, 44, 216, 185, 202, 54, 242, 53, 233, 206, 161, 176,
+    221, 204, 124, 208, 104, 87, 80, 128, 163, 122, 150, 178, 5, 184, 146, 50, 121, 95, 174, 151,
+    57, 4, 174, 208, 27, 157, 135, 190, 121, 1, 68, 57, 81, 69, 235, 205, 137, 82, 161, 209, 12,
+    212, 9, 9, 77, 22, 251, 36, 37, 13, 50, 61, 89, 164, 69, 105, 92, 233, 136, 195, 210, 103, 102,
+    73, 20, 5, 28, 162, 56, 169, 245, 255, 8, 134, 70, 53, 38, 245, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 9, 155, 125, 185, 64, 84, 225, 93, 95, 10, 178, 100, 198, 160, 180, 110, 66, 53,
+    41, 212, 204, 170, 160, 237, 167, 160, 122, 168, 168, 68, 93, 180, 2, 255, 84, 191, 48, 157,
+    91, 57, 228, 201, 192, 75, 145, 62, 104, 175, 135, 156, 9, 128, 122, 1, 210, 73, 150, 34, 200,
+    59, 228, 99, 89, 40, 54, 25, 217, 86, 245, 170, 187, 28, 224, 144, 102, 208, 225, 180, 106, 60,
+    184, 144, 29, 213, 222, 166, 45, 212, 135, 24, 164, 201, 83, 26, 181, 36, 130, 38, 173, 109,
+    97, 235, 192, 26, 43, 248, 157, 36, 62, 182, 118, 28, 234, 32, 6, 171, 179, 224, 30, 170, 75,
+    80, 101, 228, 221, 195, 238, 144, 170, 6, 57, 109, 171, 41, 157, 234, 0, 103, 243, 207, 105,
+    76, 164, 83, 35, 27, 73, 134, 177, 241, 38, 98, 86, 16, 200, 61, 190, 53, 115, 49, 157, 169,
+    143, 109, 119, 196, 109, 151, 31, 54, 94, 22, 246, 174, 164, 162, 173, 60, 74, 18, 220, 166,
+    122, 176, 32, 166, 107, 100, 229, 32, 161, 185, 210, 8, 49, 230, 61, 184, 212, 197, 41, 114,
+    239, 214, 114, 177, 9, 39, 254, 197, 24, 151, 86, 141, 25, 206, 200, 146, 167, 36, 29, 224, 66,
+    141, 123, 73, 246, 49, 80, 207, 109, 160, 72, 249, 70, 164, 10, 211, 190, 15, 104, 147, 186,
+    216, 202, 251, 27, 246, 250, 104, 57, 91, 119, 19, 98, 173, 247, 70, 85, 8, 13, 70, 69, 120,
+    52, 21, 87, 112, 50, 11, 75, 213, 167, 79, 42, 106, 58, 250, 77, 12, 133, 174, 108, 113, 82,
+    17, 17, 98, 126, 97, 172, 87, 218, 221, 79, 84, 113, 33, 148, 62, 105, 150, 66, 152, 153, 39,
+    237, 96, 75, 81, 1, 56, 6, 98, 92, 138, 114, 242, 189, 40, 38, 197, 118, 96, 130, 145, 229,
+    138, 153, 44, 49, 89, 120, 209, 167, 205, 202, 28, 65, 174, 219, 125, 99, 31, 88, 48, 254, 227,
+    34, 88, 138, 138, 60, 144, 106, 148, 158, 248, 154, 181, 53, 3, 45, 233, 164, 68, 80, 207, 42,
+    209, 157, 159, 128, 94, 241, 55, 166, 231, 115, 130, 41, 132, 19, 135, 225, 120, 36, 101, 204,
+    210, 161, 84, 197, 63, 5, 36, 178, 4, 229, 237, 43, 49, 212, 80, 219, 20, 172, 182, 189, 9,
+    193, 112, 73, 63, 37, 148, 148, 184, 201, 96, 83, 62, 32, 186, 249, 54, 103, 208, 112, 216,
     216, 217, 97, 70, 4, 18, 42, 182, 117, 21, 222, 204, 168, 164, 123, 1, 189, 145, 70, 80, 218,
     192, 136, 81, 22, 159, 137, 194, 70, 246, 187, 150, 50, 54, 154, 203, 214, 73, 174, 205, 44,
     192, 105, 138, 192, 109, 238, 21, 64, 232, 181, 218, 129, 125, 92, 145, 87, 64, 222, 169, 183,

miden-crypto/src/dsa/falcon512_rpo/tests/mod.rs

@@ -1,7 +1,8 @@
 use alloc::vec::Vec;
 
 use data::{
-    EXPECTED_SIG, EXPECTED_SIG_POLYS, NUM_TEST_VECTORS, SK_POLYS, SYNC_DATA_FOR_TEST_VECTOR,
+    DETERMINISTIC_SIGNATURE, EXPECTED_SIG, EXPECTED_SIG_POLYS, NUM_TEST_VECTORS, SK_POLYS,
+    SYNC_DATA_FOR_TEST_VECTOR,
 };
 use prng::Shake256Testing;
 use rand::{RngCore, SeedableRng};
@@ -10,7 +11,6 @@ use rand_chacha::ChaCha20Rng;
 use super::{Serializable, math::Polynomial};
 use crate::dsa::falcon512_rpo::{
     PREVERSIONED_NONCE, PREVERSIONED_NONCE_LEN, SIG_NONCE_LEN, SIG_POLY_BYTE_LEN, SecretKey,
-    tests::data::DETERMINISTIC_SIGNATURE,
 };
 
 mod data;

miden-crypto/src/hash/algebraic_sponge/mod.rs

@@ -25,25 +25,24 @@ pub(crate) mod rescue;
 // CONSTANTS
 // ================================================================================================
 
-/// Sponge state is set to 12 field elements or 96 bytes; 8 elements are reserved for rate and
-/// the remaining 4 elements are reserved for capacity.
+/// Sponge state is set to 12 field elements or 96 bytes; 8 elements are reserved for the rate and
+/// the remaining 4 elements are reserved for the capacity.
 pub(crate) const STATE_WIDTH: usize = 12;
 
-/// The rate portion of the state is located in elements 4 through 11.
-pub(crate) const RATE_RANGE: Range<usize> = 4..12;
+/// The rate portion of the state is located in elements 0 through 7.
+pub(crate) const RATE_RANGE: Range<usize> = 0..8;
 pub(crate) const RATE_WIDTH: usize = RATE_RANGE.end - RATE_RANGE.start;
 
-pub(crate) const INPUT1_RANGE: Range<usize> = 4..8;
-pub(crate) const INPUT2_RANGE: Range<usize> = 8..12;
+/// The first and second 4-element words of the rate portion.
+pub(crate) const RATE0_RANGE: Range<usize> = 0..4;
+pub(crate) const RATE1_RANGE: Range<usize> = 4..8;
 
-/// The capacity portion of the state is located in elements 0, 1, 2, and 3.
-pub(crate) const CAPACITY_RANGE: Range<usize> = 0..4;
+/// The capacity portion of the state is located in elements 8, 9, 10, and 11.
+pub(crate) const CAPACITY_RANGE: Range<usize> = 8..12;
 
-/// The output of the hash function is a digest which consists of 4 field elements or 32 bytes.
-///
-/// The digest is returned from state elements 4, 5, 6, and 7 (the first four elements of the
-/// rate portion).
-pub(crate) const DIGEST_RANGE: Range<usize> = 4..8;
+/// The output of the hash function is a digest which consists of 4 field elements or 32 bytes,
+/// taken from the first word of the rate portion of the state.
+pub(crate) const DIGEST_RANGE: Range<usize> = 0..4;
 
 /// The number of byte chunks defining a field element when hashing a sequence of bytes
 const BINARY_CHUNK_SIZE: usize = 7;
@@ -96,7 +95,7 @@ pub(crate) trait AlgebraicSponge {
             Self::apply_permutation(&mut state);
         }
 
-        // return the first 4 elements of the state as hash result
+        // return the digest portion of the state as hash result
         Word::new(state[DIGEST_RANGE].try_into().unwrap())
     }
 
@@ -169,7 +168,7 @@ pub(crate) trait AlgebraicSponge {
             Self::apply_permutation(&mut state);
         }
 
-        // return the first 4 elements of the rate as hash result.
+        // return the digest portion of the rate as hash result.
         Word::new(state[DIGEST_RANGE].try_into().unwrap())
     }
 
@@ -204,12 +203,12 @@ pub(crate) trait AlgebraicSponge {
         // - if the value doesn't fit into a single field element, split it into two field elements,
         //   copy them into rate elements 5 and 6 and set the first capacity element to 6.
         let mut state = [ZERO; STATE_WIDTH];
-        state[INPUT1_RANGE].copy_from_slice(seed.as_elements());
-        state[INPUT2_RANGE.start] = Felt::new(value);
+        state[RATE0_RANGE].copy_from_slice(seed.as_elements());
+        state[RATE1_RANGE.start] = Felt::new(value);
         if value < Felt::ORDER_U64 {
             state[CAPACITY_RANGE.start] = Felt::from_u8(5_u8);
         } else {
-            state[INPUT2_RANGE.start + 1] = Felt::new(value / Felt::ORDER_U64);
+            state[RATE1_RANGE.start + 1] = Felt::new(value / Felt::ORDER_U64);
             state[CAPACITY_RANGE.start] = Felt::from_u8(6_u8);
         }