I recently wrote about ongoing efforts to retarget the compilation of HACL* from C to Rust. Today, Aymeric, myself and the entire HACL* team are happy to announce that we have a first alpha release of HACL-rs! (Right on time for the HACS workshop).

The goal of HACL-rs is to provide a fast, verified, pure, safe Rust library of cryptographic primitives. In the long run, we simply expect HACL-rs to replace the current HACL C code in libcrux; this will in turn remove the C FFI bindings and make it possible to use libcrux as a pure safe Rust library.

We will present this work later in the year at Rust Verify 2024, but we are making an early announcement to gather initial feedback.

So far, the following algorithms are known to pass our test vectors:

  • hashes: sha1, sha2, sha3, blake2
  • stream ciphers: chacha20, salsa20
  • MACs: poly1305, hmac
  • AEAD: chacha-poly
  • bignums (all variants)
  • signature: Ed25519, ECDSA-P256, RSA-PSS, FFDHE

This is pretty much all of HACL, minus the multiplexing/agile EverCrypt APIs, minus vectorized variants, and minus a few stray algorithms that we haven’t gotten around to fixing yet (K256, HKDF).

The code is here. This is all extremely rough, and we are looking for the following kind of feedback:

  • performance: notably regressions from HACL-C
  • API feedback: we understand that none of these are Rust-native APIs, but we’d love to know about dealbreakers (e.g., too many &muts) as soon as possible, as this will also shape the final libcrux API
  • functional bugs: there is still the possibility of runtime failures, as I was mentioning in my previous blog post; while we have plans to fix this once and for all before the final release, any help finding those will save us time

Please file issues, send emails, or find us at HACS!