chore: merge v0.23.0 release

Author: bobbinth

.github/actions/workspace-release/action.yml

@@ -32,6 +32,8 @@ runs:
 
     - name: Install Rust toolchain
       uses: dtolnay/rust-toolchain@stable
+      with:
+        toolchain: "1.90"
 
     - name: Cache cargo registry and git index
       uses: actions/cache@v4
@@ -55,8 +57,14 @@ runs:
       shell: bash
       run: cargo binstall --no-confirm --force cargo-msrv
 
+    - name: Install Rust 1.91 for cargo-msrv
+      shell: bash
+      run: rustup toolchain install 1.91
+
     - name: Check MSRV
       shell: bash
+      env:
+        RUSTUP_TOOLCHAIN: "1.91"
       run: |
         export PATH="$HOME/.cargo/bin:$PATH"
         ./scripts/check-msrv.sh

.github/workflows/docs.yml

@@ -0,0 +1,52 @@
+# Generates and deploys crate documentation to GitHub Pages
+
+name: docs
+
+on:
+  push:
+    branches:
+      - next
+    paths:
+      - "**.rs"
+      - "Cargo.toml"
+      - "Cargo.lock"
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: write
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  docs:
+    name: Generate and deploy crate documentation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+
+      - name: Cleanup large tools for build space
+        uses: ./.github/actions/cleanup-runner
+
+      - name: Install LLVM/Clang
+        uses: ./.github/actions/install-llvm
+        with:
+          version: "17"
+
+      - name: Generate documentation
+        run: |
+          rustup update --no-self-update
+          rustup default stable
+          make doc
+
+      - name: Deploy documentation
+        uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # pin@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./target/doc
+          destination_dir: docs

.github/workflows/fuzz.yml

@@ -23,6 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
+      max-parallel: 1
       matrix:
         target: [primitives, collections, string, vint64, goldilocks, budgeted]
     timeout-minutes: 15
@@ -31,33 +32,38 @@ jobs:
       - name: Cleanup large tools for build space
         uses: ./.github/actions/cleanup-runner
       - uses: dtolnay/rust-toolchain@nightly
+        with:
+          toolchain: nightly
       - uses: Swatinem/rust-cache@v2
       - name: Install cargo-fuzz
-        run: cargo install cargo-fuzz --locked
+        run: cargo +nightly install cargo-fuzz --locked
       - name: Run fuzz target (smoke test)
         working-directory: miden-serde-utils
         run: |
-          cargo fuzz run ${{ matrix.target }} -- -max_total_time=60 -runs=10000
+          cargo +nightly fuzz run ${{ matrix.target }} -- -max_total_time=60 -runs=10000
 
   fuzz-miden-crypto:
     name: fuzz miden-crypto (${{ matrix.target }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
+      max-parallel: 1
       matrix:
-        target: [word, merkle, smt_serde]
+        target: [word, merkle, merkle_store, smt_serde, mmr, crypto, aead, signatures]
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@main
       - name: Cleanup large tools for build space
         uses: ./.github/actions/cleanup-runner
       - uses: dtolnay/rust-toolchain@nightly
+        with:
+          toolchain: nightly
       - uses: Swatinem/rust-cache@v2
       - name: Install cargo-fuzz
-        run: cargo install cargo-fuzz --locked
+        run: cargo +nightly install cargo-fuzz --locked
       - name: Run fuzz target (smoke test)
         run: |
           # Build the fuzz target first
-          cargo fuzz build --fuzz-dir miden-crypto-fuzz ${{ matrix.target }}
+          cargo +nightly fuzz build --fuzz-dir miden-crypto-fuzz ${{ matrix.target }}
           # Run directly to avoid cargo-fuzz wrapper SIGPIPE issue
           miden-crypto-fuzz/target/x86_64-unknown-linux-gnu/release/${{ matrix.target }} -max_total_time=60 -runs=10000

.github/workflows/lint.yml

@@ -118,6 +118,17 @@ jobs:
           tool: cargo-deny
       - run: make cargo-deny
 
+  zeroize-audit:
+    name: zeroize-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Rustup
+        run: |
+          rustup update --no-self-update nightly
+      - name: Zeroize audit
+        run: make zeroize-audit
+
   fuzz-check:
     name: check fuzz crate
     runs-on: ubuntu-latest

.github/workflows/test.yml

@@ -25,7 +25,7 @@ jobs:
       matrix:
         toolchain: [stable, nightly]
         os: [ubuntu]
-        args: [default, hashmaps, no-std, large-smt]
+        args: [default, no-std, large-smt]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@main
@@ -69,6 +69,8 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && (github.base_ref == 'main' || github.base_ref == 'next') }}
     strategy:
       fail-fast: false
+      matrix:
+        toolchain: [stable]
     steps:
       - uses: actions/checkout@main
       - name: Cleanup large tools for build space
@@ -83,3 +85,21 @@ jobs:
           rustup update --no-self-update
           rustup default ${{ matrix.toolchain }}
           make test-docs
+
+  doc-build:
+    name: doc-build
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request' && (github.base_ref == 'main' || github.base_ref == 'next') }}
+    steps:
+      - uses: actions/checkout@main
+      - name: Cleanup large tools for build space
+        uses: ./.github/actions/cleanup-runner
+      - name: Install LLVM/Clang
+        uses: ./.github/actions/install-llvm
+        with:
+          version: "17"
+      - name: Build docs
+        run: |
+          rustup update --no-self-update nightly
+          rustup default nightly
+          make doc

CHANGELOG.md

@@ -1,3 +1,27 @@
+## 0.23.0 (2026-03-11)
+
+- Replaced `Subtree` internal storage with bitmask layout ([#784](https://github.com/0xMiden/crypto/pull/784)).
+- [BREAKING] `PartialMmr::open()` now returns `Option<MmrProof>` instead of `Option<MmrPath>` ([#787](https://github.com/0xMiden/crypto/pull/787)).
+- [BREAKING] Refactored BLAKE3 to use `Digest<N>` struct, added `Digest192` type alias ([#811](https://github.com/0xMiden/crypto/pull/811)).
+- [BREAKING] Added validation to `PartialMmr::from_parts()` and `Deserializable` implementation, added `from_parts_unchecked()` for performance-critical code ([#812](https://github.com/0xMiden/crypto/pull/812)).
+- [BREAKING] Removed `hashbrown` dependency and `hashmaps` feature; `Map`/`Set` type aliases are now tied to the `std` feature ([#813](https://github.com/0xMiden/crypto/pull/813)).
+- [BREAKING] Renamed `NodeIndex::value()` to `NodeIndex::position()`, `NodeIndex::is_value_odd()` to `NodeIndex::is_position_odd()`, and `LeafIndex::value()` to `LeafIndex::position()` ([#814](https://github.com/0xMiden/crypto/pull/814)).
+- Fixed `LargeSmtForest::truncate` to remove emptied lineages from `non_empty_histories` ([#818](https://github.com/0xMiden/crypto/pull/818)).
+- [BREAKING] Fixed OOMs in Merkle/SMT deserialization ([#820](https://github.com/0xMiden/crypto/pull/820)).
+- Fixed `SmtForest` to remove nodes with zero reference count from store ([#821](https://github.com/0xMiden/crypto/pull/821)).
+- Cross-checked RPO test vectors against the Python reference implementation after state layout change ([#822](https://github.com/0xMiden/crypto/pull/822)).
+- Fixed tuple `min_serialized_size()` to exclude alignment padding, fixing `BudgetedReader` rejecting valid data ([#827](https://github.com/0xMiden/crypto/pull/827)).
+- Fixed possible panic in `XChaCha::decrypt_bytes_with_associated_data` and harden deserialization with fuzzing across 7 new targets ([#836](https://github.com/0xMiden/crypto/pull/836)).
+- Added `Signature::from_der()` for ECDSA signatures over secp256k1 ([#842](https://github.com/0xMiden/crypto/pull/842)).
+- [BREAKING] Added info context field to secret box, bind IES HKDF info to a stable context string, scheme identifier, and ephemeral public key bytes. ([#843](https://github.com/0xMiden/crypto/pull/843)).
+- Use `read_from_bytes_with_budget()` instead of read_from_bytes for deserialization from untrusted sources, setting the budget to the actual input byte slice length. ([#846](https://github.com/0xMiden/crypto/pull/846)).
+- [BREAKING] Removed `PartialEq`/`Eq` for AEAD `SecretKey` in non-test builds, fix various hygiene issues in dealing with secret keys ([#849](https://github.com/0xMiden/crypto/pull/849)).
+- Added `PublicKey::from_der()` for ECDSA public keys over secp256k1 ([#855](https://github.com/0xMiden/crypto/pull/855)).
+- [BREAKING] Fixed `NodeIndex::to_scalar_index()` overflow at depth 64 by returning `Result<u64, MerkleError>` ([#865](https://github.com/0xMiden/crypto/issues/865)).
+- [BREAKING] Removed `RpoRandomCoin` and `RpxRandomCoin` and introduced a Poseidon2-based `RandomCoin` ([#871](https://github.com/0xMiden/crypto/pull/871)).
+- Harden MerkleStore deserialization and fuzz coverage ([#878](https://github.com/0xMiden/crypto/pull/878)).
+- [BREAKING] Upgraded Plonky3 from 0.4.2 to 0.5.0 and replaced `p3-miden-air`, `p3-miden-fri`, and `p3-miden-prover` with the unified `p3-miden-lifted-stark` crate. The `stark` module now re-exports the Lifted STARK proving system from [p3-miden](https://github.com/0xMiden/p3-miden).
+
 ## 0.22.4 (2026-03-03)
 
 - Make `SmtLeaf::get_value` public ([#872](https://github.com/0xMiden/crypto/pull/872)).