How do non-Turing complete languages like Clarity support sha256 hashing, which internally relies on loops?

Question

In non-Turing complete languages like Clarity (used for writing smart contracts on the Stacks blockchain), loops and recursion are intentionally excluded to ensure predictability and prevent non-termination. However, these languages still provide support for cryptographic functions like sha256, which internally require looping to process data blocks.

I'm curious to understand how non-Turing complete languages implement functions like sha256 without violating their non-Turing complete nature. How is it possible for these functions to exist in such environments if they rely on looping mechanisms under the hood?

Answer 1

The loops in SHA, AES, and pretty much all ciphers used in modern IT security can all be un-rolled, as their loop condition don't depend on input data.

Take SHA-256 for example, it's compression function has a loop of 64 rounds, but since we know it'll always be 64 rounds, in a non-Turing-complete language, we can simply repeat the processing code 64 times verbatim.

The same apply to AES, where there're 10, 12, 14 rounds respectively for AES 128, 192, and 256.

RSA, Diffie-Hellman, ElGamel, and integer ring exponentiation in general are similar, we just have to fix the size of the modulus beforehand, then we can just write double-and-add that many times (typically 2048 times). Loops in elliptic curves are no different - they have a fixed bit width for each parameter set.

And actually, you can pretty much bet on there being no data-dependent branching, as the cryptography academic community generally agree that it's a serious side-channel vulnerability and it should be avoided in all future algorithm designs.