ON THE HARDWARE IMPLEMENTATIONS OF THE SHA-2 (256,384,512) HASH FUNCTIONS N. Sklavos and 0.Koufopavlou Electrical and Computer Engineering Department University of Patras, Patras, GREECE [email protected] ABSTRACT offering security comparable to the AES key strengths. On August Couple to the communications wired and unwired 26, 2002, NIST announced the approval of FIPS 180-2 networks growth, is the increasing demand for strong [3], Secure Hash Standard, which introduces the secure data transmission. New cryptographic standards are specifications of three new hash functions, SHA-2 (256, developed, and new encryption algorithms are designed, in 384,512). order to satisfy the special needs for security. SHA-2 is the Hash functions is a fundamental primitive categoly in newest powerful standard in the hash functions families. In modem cryptography, often called one-way hash this paper, a VLSI architecture for the SHA-2 family is functions. A hash function is a computationally efficient proposed. For every hash function SHA-2 (256, 384, and function, which maps binary strings of arbitrary length to 512) of this standard, a hardware implementation is binary strings of some fixed length, called hash-values [4]. presented. All the implementations are examined and In this paper, a VLSI architecture for the SHA-2 hash compared in the supported security level and in the function family is proposed. Based on this architecture, performance by using hardware terms. This work can every one of the SHA-2 (256, 384, 512) hash functions substitute efficiently the previous SHA-1 standard have been implemented separately, due to the different implementations, in every integrity security scheme, with specifications. All the proposed implementations are higher offered security level, and better performance. In examined and compared in the offered security level and addition, the proposed implementations could be applied in the performance by using hardware terms. From the altematively in the integrations of digital signahue comparisons results, with other related works on other algorithms, keyed-hash message authentication codes and hash functions implementations, it is proven that the in random numbers generators architectures. proposed implementations perform better in all of the cases. This work can substitute the previous SHA-I standard implementations, in every integrity security 1 INTRODUCTION scheme, with higher supported security level and better The continued growth of communications in the last hardware performance. In addition, the proposed decades and the large range of the sensitive offered implementations can be applied efficiently in the applications in the networks, have triggered the increasing implementation of digital signature algorithms [SI, keyed- demand for security. In some cases, the existing security hash message authentication codes [6] and in random standards have been proved insufficient. In order to be numbers generators architectures [7]. satisfied the special needs for cryptography, new security This paper is organized as follows: in section two the algorithms and cryptographic schemes are designed and SHA-2 standard is introduced. In the next section the developed. proposed architecture for the SHA-2 hash functions family The Secure Hash Algorithm-I (SHA-I) [I], is the is presented in detail. In addition, the specifications and world's most popular hash function. Unfortunately, the the design demands for each one of the proposed security level of this design is limited to a level implementations SHA-2 (256), SHA-2 (384). SHA-2 comparable to an 80-bit block cipher. The announced new (512), are also presented. The VLSI implementations AES Standard [2], which is specified in 128-, 192-, and synthesis results are given in the section 4 and 256-bit keys, drove the demand for a new SHA algorithm comparisons with other related works are presented. Finally, conclusions are discussed in the last section. 0-7803-7761-3103/$17.00 02003 IEEE V-153 2 SECURE HASH FUNCTION z 3 PROPOSED SHA-I FAMILY ARCHITECTURE The SHA-2 standard [3] supersedes the existing FlPS In order to implement the three hash functions of the 180-1 [I], adding three new algorithms SHA-2(256), SHA- SHA-2 family, a common architecture have been designed, 2(384), and SHA-2(512), for computing a condensed and it is used for each one of them separately. This proposed representation (message digest) of electronic data (input architecture is illustrated in tbe Fig. 1. message. The message digests range in length from 160 to 5 12 bits, depending on the algorithm. These hash functions enable the determination of a message’s integrity: any change to the message will, with a very high probability, results in a different message digest. Secure hash functions are basically used with other cryptographic algorithms, such as digital signature algorithms, keyed-hash message authentication codes, and in random numbers generators. The three new hash functions specified in this standard are called secure because, for a given algorithm, it is computationally infeasible I) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, results in a different message digest. The hash functions of the SHA-2 family differ most significantly in the number of security bits that are provided for the hashed input data block. Security is directly related to Figure 1: Proposed SHA-2 Family Architecture the message digest length. In most of the cases, when a The PADDER pads the input data and converts them to secure hash function is used in conjunction with another n-hit blocks (padded data). This operation is the same for algorithm, there special specifications, which require the use these three hash functions, which sequentially process blocks of a secure hash function with a certain number of security of n-bit. The padded message is generated with the following bits. For example, if a message is being signed with a digital process: a logic “I”, followed by m “Ws, followed by a 64- signature algorithm that provides 256-bit security, then that bit integer are appended to the end of the input data message, signature algorithm may require the use of a secure hash to produce a padded message of length equal to a multiple of algorithm that provides 256-bit security, SHA-2(5 12). In n. The 64-bit integer is equal to the length of the input data addition, these three hash functions differ in terms of the message. The padded data is a multiple of 512-bit for the block size and words of data that are used during hashing. SHA-2(256) and a multiple of 1024 for the SHA-2(384) and TabIe I presents the hasic properties of all four secure hash SHA-2(512). The padded data are divided into N equal data functions. blocks M’,..., MN and are processed in order, using the following equations: W(i)=M’, O<=i<=15, (I) W(i)=olW(i-2)+W(i-7)+oOW(i-l5)+W(i-l6),15<i,(2) where i indicates the number of the transformation round. Every one of the hash functions uses a specified number of transformation rounds, which is determined in the Table 1. The ROM Blocks are used for predefined K(i) constants support. These constants are different for each one of the implemented hash functions. For the SHA-2 (256), 64x32-bit Table 1: Secure Hash Functions Comparison ROM blocks are allocated, while each one of the SHA- In the above table, with the rule “security” is defined a 2(384) and SHA-2(512) uses 80x64-bit ROM blocks. birthday attack [8] on a message digest of size n, which Finally, a last modification (MODIFIED UNIT) is performed finally produces a collision with a work factor of to the data before the message digest is produced. approximately P. V-154 The basic TRANSFORMATION ROUND is working where R(n) indicates right rotation of the input by n-bit and with .E basic inputs (A-IN, ...,H-IN) and 8 outputs S(n) indicates right shift by n-bits. The functions of Fig. 4 (A-OUT,..,H-OUT), which are related with the following are similar but they are implemented by using different eauations: constants for each one of the SHA-2 family hash functions. The specified constants values for every hash function are given by the SHA-2 standard [3]. (5) D-OUT=C_lN (6) 4 VLSl SYNTHESIS RESULTS E OUT=D n\r+Tl(E-N,F-IN,C_IN,H-IN) (7) F:OUT=E~N (8) Tbe proposed architectures have been captured by using G-OUT<=F-IN (9) VHDL and have been synthesized placed and routed using H-OUT<=G-lN (10) XILINX FPGA Virtex Device (vZOOpq240). The synthesis The working inputs are initialized to the constants values results for the proposed SHA-2 implementations are (A-Con,. .,H-Con) before hash computation begins. In the illustr~tedin the following 1ables 2-4. above equations, two functions Tl(x,y,z) and TZ(x,y,z) are used for the desirable data transformation. The architectures ARoutedArea 1 &ed l Available 1 GtUthboa ] of these functions are illustrated in the following Fig.2: Fun. Generators 2120 I 4704 1 45% CLB Slices 1060 / 2352 1 45% Dfls or Latches 1651 14704 j 35% Frequency 83 MHz Figure 2: Tl(x,y,z), TZ(x,y,z) Functions Architectures For the SHA-2(256) the 232modulo adder is used, while for the SHA-2(384) and SHA-2(512) the 264m~duloadder is implemented. The Ch and Ma] (Fig. 3) are common functions for the three hash functions while 21, ZO are AUocatcdArea I Uspd/Av&Me I Utilization 1 different for each one of the hash functions.