ON THE HARDWARE IMPLEMENTATIONS OF THE SHA-2 (256,384,512) HASH FUNCTIONS
N. Sklavos and 0.Koufopavlou
Electrical and Computer Engineering Department University of Patras, Patras, GREECE [email protected]
ABSTRACT offering security comparable to the AES key strengths. On August Couple to the communications wired and unwired 26, 2002, NIST announced the approval of FIPS 180-2 networks growth, is the increasing demand for strong [3], Secure Hash Standard, which introduces the secure data transmission. New cryptographic standards are specifications of three new hash functions, SHA-2 (256, developed, and new encryption algorithms are designed, in 384,512). order to satisfy the special needs for security. SHA-2 is the Hash functions is a fundamental primitive categoly in newest powerful standard in the hash functions families. In modem cryptography, often called one-way hash this paper, a VLSI architecture for the SHA-2 family is functions. A hash function is a computationally efficient proposed. For every hash function SHA-2 (256, 384, and function, which maps binary strings of arbitrary length to 512) of this standard, a hardware implementation is binary strings of some fixed length, called hash-values [4]. presented. All the implementations are examined and In this paper, a VLSI architecture for the SHA-2 hash compared in the supported security level and in the function family is proposed. Based on this architecture, performance by using hardware terms. This work can every one of the SHA-2 (256, 384, 512) hash functions substitute efficiently the previous SHA-1 standard have been implemented separately, due to the different implementations, in every integrity security scheme, with specifications. All the proposed implementations are higher offered security level, and better performance. In examined and compared in the offered security level and addition, the proposed implementations could be applied in the performance by using hardware terms. From the altematively in the integrations of digital signahue comparisons results, with other related works on other algorithms, keyed-hash message authentication codes and hash functions implementations, it is proven that the in random numbers generators architectures. proposed implementations perform better in all of the cases. This work can substitute the previous SHA-I standard implementations, in every integrity security 1 INTRODUCTION scheme, with higher supported security level and better The continued growth of communications in the last hardware performance. In addition, the proposed decades and the large range of the sensitive offered implementations can be applied efficiently in the applications in the networks, have triggered the increasing implementation of digital signature algorithms [SI, keyed- demand for security. In some cases, the existing security hash message authentication codes [6] and in random standards have been proved insufficient. In order to be numbers generators architectures [7]. satisfied the special needs for cryptography, new security This paper is organized as follows: in section two the algorithms and cryptographic schemes are designed and SHA-2 standard is introduced. In the next section the developed. proposed architecture for the SHA-2 hash functions family The Secure Hash Algorithm-I (SHA-I) [I], is the is presented in detail. In addition, the specifications and world's most popular hash function. Unfortunately, the the design demands for each one of the proposed security level of this design is limited to a level implementations SHA-2 (256), SHA-2 (384). SHA-2 comparable to an 80-bit block cipher. The announced new (512), are also presented. The VLSI implementations AES Standard [2], which is specified in 128-, 192-, and synthesis results are given in the section 4 and 256-bit keys, drove the demand for a new SHA algorithm comparisons with other related works are presented. Finally, conclusions are discussed in the last section.
0-7803-7761-3103/$17.00 02003 IEEE V-153 2 SECURE HASH FUNCTION z 3 PROPOSED SHA-I FAMILY ARCHITECTURE The SHA-2 standard [3] supersedes the existing FlPS In order to implement the three hash functions of the 180-1 [I], adding three new algorithms SHA-2(256), SHA- SHA-2 family, a common architecture have been designed, 2(384), and SHA-2(512), for computing a condensed and it is used for each one of them separately. This proposed representation (message digest) of electronic data (input architecture is illustrated in tbe Fig. 1. message. The message digests range in length from 160 to 5 12 bits, depending on the algorithm. These hash functions enable the determination of a message’s integrity: any change to the message will, with a very high probability, results in a different message digest. Secure hash functions are basically used with other cryptographic algorithms, such as digital signature algorithms, keyed-hash message authentication codes, and in random numbers generators. The three new hash functions specified in this standard are called secure because, for a given algorithm, it is computationally infeasible I) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, results in a different message digest. The hash functions of the SHA-2 family differ most significantly in the number of security bits that are provided for the hashed input data block. Security is directly related to Figure 1: Proposed SHA-2 Family Architecture the message digest length. In most of the cases, when a The PADDER pads the input data and converts them to secure hash function is used in conjunction with another n-hit blocks (padded data). This operation is the same for algorithm, there special specifications, which require the use these three hash functions, which sequentially process blocks of a secure hash function with a certain number of security of n-bit. The padded message is generated with the following bits. For example, if a message is being signed with a digital process: a logic “I”, followed by m “Ws, followed by a 64- signature algorithm that provides 256-bit security, then that bit integer are appended to the end of the input data message, signature algorithm may require the use of a secure hash to produce a padded message of length equal to a multiple of algorithm that provides 256-bit security, SHA-2(5 12). In n. The 64-bit integer is equal to the length of the input data addition, these three hash functions differ in terms of the message. The padded data is a multiple of 512-bit for the block size and words of data that are used during hashing. SHA-2(256) and a multiple of 1024 for the SHA-2(384) and TabIe I presents the hasic properties of all four secure hash SHA-2(512). The padded data are divided into N equal data functions. blocks M’,..., MN and are processed in order, using the following equations:
W(i)=M’, O<=i<=15, (I) W(i)=olW(i-2)+W(i-7)+oOW(i-l5)+W(i-l6),15
V-154 The basic TRANSFORMATION ROUND is working where R(n) indicates right rotation of the input by n-bit and with .E basic inputs (A-IN, ...,H-IN) and 8 outputs S(n) indicates right shift by n-bits. The functions of Fig. 4 (A-OUT,..,H-OUT), which are related with the following are similar but they are implemented by using different eauations: constants for each one of the SHA-2 family hash functions. The specified constants values for every hash function are given by the SHA-2 standard [3]. (5) D-OUT=C_lN (6) 4 VLSl SYNTHESIS RESULTS E OUT=D n\r+Tl(E-N,F-IN,C_IN,H-IN) (7) F:OUT=E~N (8) Tbe proposed architectures have been captured by using G-OUT<=F-IN (9) VHDL and have been synthesized placed and routed using H-OUT<=G-lN (10) XILINX FPGA Virtex Device (vZOOpq240). The synthesis The working inputs are initialized to the constants values results for the proposed SHA-2 implementations are (A-Con,. . .,H-Con) before hash computation begins. In the illustr~tedin the following 1ables 2-4. above equations, two functions Tl(x,y,z) and TZ(x,y,z) are used for the desirable data transformation. The architectures ARoutedArea 1 &ed l Available 1 GtUthboa ] of these functions are illustrated in the following Fig.2: Fun. Generators 2120 I 4704 1 45% CLB Slices 1060 / 2352 1 45% Dfls or Latches 1651 14704 j 35% Frequency 83 MHz
Figure 2: Tl(x,y,z), TZ(x,y,z) Functions Architectures For the SHA-2(256) the 232modulo adder is used, while for the SHA-2(384) and SHA-2(512) the 264m~duloadder is implemented. The Ch and Ma] (Fig. 3) are common functions for the three hash functions while 21, ZO are AUocatcdArea I Uspd/Av&Me I Utilization 1 different for each one of the hash functions. Fun. Generators I 4471 3704 1 95co 2237 12352 95 %
Table 4: SHA-2 (512) Implementation Synthesis Results Wbl..aJ In addition, the proposed implementations are compared Figure 3: Ch, MAj Functions Architectures in the terms of operating frequency, throughput and in the The proposed architectures for the E I, EO functions are area-delay product. These comparisons results are illustrated in the following Fig.5: shown in the next Fig. 4. In the same figure, the architectures ., . of 00, ol functions, for the generation of the Wt(i) data black, are alsozrated.
a\ i.j -. ~ -, __ L -,, ”’
.... ~ ...... -. . ..
, II ., ? v) ., z . ., < i
Figure 4: EO, El, 00, a1 Functions Architectures Figure 5: SHA-2 Functions Comparisons
V-155 The allocated area resources of the SHA-2(256) are at 5 CONCLUSIONS about 50% less than the allocated resources of the other two In this paper, three different implementations ,are hash algorithms implementations. The operating frequency proposed for the SHA-2 hash family. SHA-2 is the newest of SHA-2(384) and SHA-2(512) is measured at 75 and 74 hash function standard. This hash functions family.provides MHz respectively, and they are less compared with the 84 higher security level than the existing SHA-I. The proposed MHz of the SHA-2(256). Furthermore, the throughput of the implementations are compared in terms of operating SHA-2(512) is better compared with the other two frequency, tbroughput and in the area-delay product. From implementations. Finally the SHA-Z(Z56) hash function is the comparisons results, with other related works [9] and proven the best in the term of the area-delay product, implementations of other hash functions families [7], [9-1 I] compared with the other two hash functions integrations. it is proven that the proposed implementations performs In addition, comparisons of the proposed SHA-2 hash better in all of the cases. They can substitute efficiently the functions implementations with other related works are previous SHA-1 implementations, in communications illustrated in the Table 5. Since the SHA-2 hash family is a protocols and networks integrity units. with higher supported new standard only few related works [9] have been security level and better achieved performance. This work published until now in technical literature. Therefore, can be applied efficiently in the implementation of digital performance comparison is an enough difficult process. signature algorithms, keyed-hash message authentication Although, in the Table 5 comparisons with other hash codes and in random numbers generators architectures. function families implementations 171, [9-I I] are also given, in order to have a fair and detailed comparison of the 6 REFERENCES proposed implementations. [I] SHA-1 Standard, National Institute of Standards and Technology (NIST), Secure Hash Standard, FIPS PUB 180-1, www.itl.nist.gov/fipspubs/fipI80-1 .htm [Z] “Advanced Encryption Standard, httd/csrc.nist.eov. [3] SHA-2 Standard, National Institute of Standards and 1’1 10900Gates 59 ASIC 56 Technology (NIST), Secure Hash Standard, FIPS PUB 180-2, 1004 CLBs 42 9 FPGA I I9 www.itl.nist.gov/fipspuhs/fip180-2.htm SEA-1 191 10900 Gates 59 ASIC 86 [4] S. Bakhtiari, R.Safavi-Naini, J. Pieprzyk, “Cryptographic , Hash Functions: A Survey ”, Technical Report 95-09. SHA-1 [q I 2606CLBs I 31 ] 233 Department of Computer Science, University of SEA-1 1101 I 40 Wollongong, July 1995. [5] National Institute of Standards and Technology (NIST), Digital Signature Standard, FIPS PUB 186-2, http://csrc.nist.gov/publications/fips/fips186-2.htm 161 HMAC Standard, National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), http://csrc.nist.gov/publications/fips.htm [7]N. Sklavos, P. Kitsos, K. Papadomanolakis and 0. Koufopavlou, “Random Number Generator Architecture and VLSl Implementation”, proc. of IEEE Intemational Table 5: Implementations Comparison Results Symposium on Circuits & Systems (ISCAS’OZ), USA, The SHA-2(256) performs better in terms of operating 2002. frequency and throughput compared with both the ASIC and 181 A.Menezes, P.van Oorchot, and S.Vanstone, Handbook the FPGA implementations of the related work [9]. ofApplied Cryptography, CRC Press, Inc, October 1997. Furthermore, all the three proposed implementations are [9] S. Dominikus, “A Hardware Implementation of MD4- compared with the previous SHA-I hash function standard Family Hash Algorithms”, proc. of IEEE International hardware implementations [7], [9], [I I]. Conference on Electronics Circuits and Systems From the synthesis results of the Table 5, it is also proven (ICECS’OZ), Vol. Ill, pp.1143-1146, Croatia, 2002. that the proposed implementations performs better compared [IO] H. Dobbertin, A. Bosselaers, B. Preneel, “RIPEMD- with the hardware designs works of [7], [Y] and the software 160, a strengthened version of RIPEMD, Fast Software development of [IO], [ll]. Finally, the three proposed Encryption, LNCS 1039, Springer-Verlag 1996. implementations have better synthesis results compared with [ 1 I] Michael Roe, “Performance of Block Ciphers and Hash the works of [9], [IO], on the other well known hash family Functions-One Year Later”, proc. of Second International Workshop for Fast Software Encryption ’94, Leuven, functions, MD5. Belgium, December 14-16, 1994.
V-156