FIPS PUB 180-4
`
`FEDERAL INFORMATION PROCESSING STANDARDS
`PUBLICATION
`
`Secure Hash Standard (SHS)
`
`CATEGORY: COMPUTER SECURITY
`
`SUBCATEGORY: CRYPTOGRAPHY
`
`Information Technology Laboratory
`National Institute of Standards and Technology
`Gaithersburg, MD 20899-8900
`
`This publication is available free of charge from:
`http://dx.doi.org/10.6028/NIST.FIPS.180-4
`
`August 2015
`
`U.S. Department of Commerce
`Penny Pritzker, Secretary
`
`National Institute of Standards and Technology
`Willie E. May, Under Secretary for Standards and Technology and Director
`
`WIZ, Inc. EXHIBIT - 1092
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`FOREWORD
`
`The Federal Information Processing Standards Publication Series of the National Institute
`of Standards and Technology (NIST) is the official series of publications relating to
`standards and guidelines adopted and promulgated under the provisions of the Federal
`Information Security Management Act (FISMA) of 2002.
`
`Comments concerning FIPS publications are welcomed and should be addressed to the
`Director, Information Technology Laboratory, National Institute of Standards and
`Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900.
`Charles H. Romine, Director
`Information Technology Laboratory
`
`ii
`
`

`

`Abstract
`This standard specifies hash algorithms that can be used to generate digests of messages.
`The digests are used to detect whether messages have been changed since the digests
`were generated.
`
`Key words: computer security, cryptography, message digest, hash function, hash
`algorithm, Federal Information Processing Standards, Secure Hash Standard.
`
`iii
`
`

`

`Federal Information
`Processing Standards Publication 180-4
`
`August 2015
`
`Announcing the
`
`SECURE HASH STANDARD
`
`Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National
`Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce
`pursuant to Section 5131 of the Information Technology Management Reform Act of 1996
`(Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).
`
`1. Name of Standard: Secure Hash Standard (SHS) (FIPS PUB 180-4).
`
`2. Category of Standard: Computer Security Standard, Cryptography.
`
`3. Explanation: This Standard specifies secure hash algorithms - SHA-1, SHA-224, SHA-256,
`SHA-384, SHA-512, SHA-512/224 and SHA-512/256 - for computing a condensed
`representation of electronic data (message). When a message of any length less than 264 bits (for
`SHA-1, SHA-224 and SHA-256) or less than 2128 bits (for SHA-384, SHA-512, SHA-512/224
`and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest.
`The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure
`hash algorithms are typically used with other cryptographic algorithms, such as digital signature
`algorithms and keyed-hash message authentication codes, or in the generation of random
`numbers (bits).
`
`The hash algorithms specified in this Standard are called secure because, for a given algorithm, it
`is computationally infeasible 1) to find a message that corresponds to a given message digest, or
`2) to find two different messages that produce the same message digest. Any change to a
`message will, with a very high probability, result in a different message digest. This will result in
`a verification failure when the secure hash algorithm is used with a digital signature algorithm or
`a keyed-hash message authentication algorithm.
`
`This Standard supersedes FIPS 180-3 [FIPS 180-3].
`
`4. Approving Authority: Secretary of Commerce.
`
`5. Maintenance Agency: U.S. Department of Commerce, National Institute of Standards and
`Technology (NIST), Information Technology Laboratory (ITL).
`
`iv
`
`

`

`6. Applicability: This Standard is applicable to all Federal departments and agencies for the
`protection of sensitive unclassified information that is not subject to Title 10 United States Code
`Section 2315 (10 USC 2315) and that is not within a national security system as defined in Title
`40 United States Code Section 11103(a)(1) (40 USC 11103(a)(1)). Either this Standard or
`Federal Information Processing Standard (FIPS) 202 must be implemented wherever a secure
`hash algorithm is required for Federal applications, including as a component within other
`cryptographic algorithms and protocols. This Standard may be adopted and used by non-Federal
`Government organizations.
`
`7. Specifications: Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard
`(SHS) (affixed).
`
`8. Implementations: The secure hash algorithms specified herein may be implemented in
`software, firmware, hardware or any combination thereof. Only algorithm implementations that
`are validated by NIST will be considered as complying with this standard. Information about the
`validation program can be obtained at http://csrc.nist.gov/groups/STM/index.html.
`
`9. Implementation Schedule: Guidance regarding the testing and validation to FIPS 180-4 and
`its relationship to FIPS 140-2 can be found in IG 1.10 of the Implementation Guidance for FIPS
`PUB 140-2 and the Cryptographic Module Validation Program at
`http://csrc.nist.gov/groups/STM/cmvp/index.html.
`
`10. Patents: Implementations of the secure hash algorithms in this standard may be covered by
`U.S. or foreign patents.
`
`11. Export Control: Certain cryptographic devices and technical data regarding them are
`subject to Federal export controls. Exports of cryptographic modules implementing this standard
`and technical data regarding them must comply with these Federal regulations and be licensed by
`the Bureau of Export Administration of the U.S. Department of Commerce. Information about
`export regulations is available at: http://www.bis.doc.gov/index.htm.
`
`12. Qualifications: While it is the intent of this Standard to specify general security
`requirements for generating a message digest, conformance to this Standard does not assure that
`a particular implementation is secure. The responsible authority in each agency or department
`shall assure that an overall implementation provides an acceptable level of security. This
`Standard will be reviewed every five years in order to assess its adequacy.
`
`13. Waiver Procedure: The Federal Information Security Management Act (FISMA) does not
`allow for waivers to a FIPS that is made mandatory by the Secretary of Commerce.
`
`14. Where to Obtain Copies of the Standard: This publication is available electronically by
`accessing http://csrc.nist.gov/publications/. Other computer security publications are available at
`the same web site.
`
`v
`
`

`

`Federal Information
`Processing Standards Publication 180-4
`
`Specifications for the
`
`SECURE HASH STANDARD
`
`Table of Contents
`
`1.
`
`INTRODUCTION ............................................................................................................................................... 3
`
`2. DEFINITIONS ..................................................................................................................................................... 4
`
`2.1
`2.2
`
`GLOSSARY OF TERMS AND ACRONYMS ............................................................................................. 4
`ALGORITHM PARAMETERS, SYMBOLS, AND TERMS ........................................................................... 4
`2.2.1 Parameters ........................................................................................................................... 4
`2.2.2 Symbols and Operations ....................................................................................................... 5
`
`3. NOTATION AND CONVENTIONS ................................................................................................................. 7
`
`3.1
`3.2
`
`BIT STRINGS AND INTEGERS .............................................................................................................. 7
`OPERATIONS ON WORDS .................................................................................................................... 8
`
`4. FUNCTIONS AND CONSTANTS ................................................................................................................... 10
`
`4.1
`
`4.2
`
`FUNCTIONS ...................................................................................................................................... 10
`4.1.1 SHA-1 Functions ................................................................................................................ 10
`4.1.2 SHA-224 and SHA-256 Functions ...................................................................................... 10
`4.1.3 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Functions ....................................... 11
`CONSTANTS ..................................................................................................................................... 11
`4.2.1 SHA-1 Constants ................................................................................................................ 11
`4.2.2 SHA-224 and SHA-256 Constants ...................................................................................... 11
`4.2.3 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Constants ....................................... 12
`
`5. PREPROCESSING ........................................................................................................................................... 13
`
`5.1
`
`5.2
`
`5.3
`
`PADDING THE MESSAGE .................................................................................................................. 13
`5.1.1 SHA-1, SHA-224 and SHA-256 .......................................................................................... 13
`5.1.2 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 ....................................................... 13
`PARSING THE MESSAGE ................................................................................................................... 14
`5.2.1 SHA-1, SHA-224 and SHA-256 .......................................................................................... 14
`5.2.2 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 ....................................................... 14
`SETTING THE INITIAL HASH VALUE (H(0)) ........................................................................................ 14
`5.3.1 SHA-1 ................................................................................................................................. 14
`5.3.2 SHA-224 ............................................................................................................................. 14
`5.3.3 SHA-256 ............................................................................................................................. 15
`5.3.4 SHA-384 ............................................................................................................................. 15
`5.3.5 SHA-512 ............................................................................................................................. 15
`5.3.6 SHA-512/t ........................................................................................................................... 16
`
`6.
`
`SECURE HASH ALGORITHMS .................................................................................................................... 18
`
`6.1
`
`SHA-1 ............................................................................................................................................. 18
`6.1.1 SHA-1 Preprocessing ......................................................................................................... 18
`6.1.2 SHA-1 Hash Computation .................................................................................................. 18
`
`1
`
`

`

`6.1.3 Alternate Method for Computing a SHA-1 Message Digest ............................................... 20
`SHA-256 ......................................................................................................................................... 21
`6.2.1 SHA-256 Preprocessing ..................................................................................................... 22
`6.2.2 SHA-256 Hash Computation .............................................................................................. 22
`SHA-224 ......................................................................................................................................... 23
`SHA-512 ......................................................................................................................................... 24
`6.4.1 SHA-512 Preprocessing ..................................................................................................... 24
`6.4.2 SHA-512 Hash Computation .............................................................................................. 24
`SHA-384 ......................................................................................................................................... 26
`SHA-512/224 .................................................................................................................................. 26
`SHA-512/256 .................................................................................................................................. 26
`
`6.2
`
`6.3
`6.4
`
`6.5
`6.6
`6.7
`
`7.
`
` TRUNCATION OF A MESSAGE DIGEST .......................................................................................... 27
`
`APPENDIX A: ADDITIONAL INFORMATION .................................................................................................. 28
`A.1 SECURITY OF THE SECURE HASH ALGORITHMS ............................................................................... 28
`A.2
`IMPLEMENTATION NOTES ................................................................................................................ 28
`A.3 OBJECT IDENTIFIERS ........................................................................................................................ 28
`
`APPENDIX B: REFERENCES ................................................................................................................................ 29
`
`APPENDIX C: TECHNICAL CHANGES FROM FIPS 180-3 ............................................................................. 30
`
`ERRATUM ................................................................................................................................................................ 31
`
`2
`
`

`

`INTRODUCTION
`1.
`This Standard specifies secure hash algorithms, SHA-1, SHA-224, SHA-256, SHA-384, SHA-
`512, SHA-512/224 and SHA-512/256. All of the algorithms are iterative, one-way hash
`functions that can process a message to produce a condensed representation called a message
`digest. These algorithms enable the determination of a message’s integrity: any change to the
`message will, with a very high probability, result in a different message digest. This property is
`useful in the generation and verification of digital signatures and message authentication codes,
`and in the generation of random numbers or bits.
`
`Each algorithm can be described in two stages: preprocessing and hash computation.
`Preprocessing involves padding a message, parsing the padded message into m-bit blocks, and
`setting initialization values to be used in the hash computation. The hash computation generates
`a message schedule from the padded message and uses that schedule, along with functions,
`constants, and word operations to iteratively generate a series of hash values. The final hash
`value generated by the hash computation is used to determine the message digest.
`
`The algorithms differ most significantly in the security strengths that are provided for the data
`being hashed. The security strengths of these hash functions and the system as a whole when
`each of them is used with other cryptographic algorithms, such as digital signature algorithms
`and keyed-hash message authentication codes, can be found in [SP 800-57] and [SP 800-107].
`
`Additionally, the algorithms differ in terms of the size of the blocks and words of data that are
`used during hashing or message digest sizes. Figure 1 presents the basic properties of these hash
`algorithms.
`
`Algorithm
`
`SHA-1
`
`SHA-224
`SHA-256
`
`SHA-384
`
`SHA-512
`
`SHA-512/224
`SHA-512/256
`
`Message Size
`(bits)
`< 264
`< 264
`< 264
`< 2128
`< 2128
`< 2128
`< 2128
`
`Block Size
`(bits)
`512
`512
`512
`1024
`1024
`1024
`1024
`
`Word Size
`(bits)
`32
`32
`32
`64
`64
`64
`64
`
`Message Digest Size
`(bits)
`160
`224
`256
`384
`512
`224
`256
`
`Figure 1: Secure Hash Algorithm Properties
`
`3
`
`

`

`
`
`
`
`2.
`
`DEFINITIONS
`
`2.1 Glossary of Terms and Acronyms
`
`Bit
`
`Byte
`
`FIPS
`
`NIST National Institute of Standards and Technology.
`
`SHA Secure Hash Algorithm.
`
`SP Special Publication
`
`Word
`
`A group of either 32 bits (4 bytes) or 64 bits (8 bytes), depending on the
`secure hash algorithm.
`
`
`
`2.2 Algorithm Parameters, Symbols, and Terms
`
`2.2.1 Parameters
`
`The following parameters are used in the secure hash algorithm specifications in this Standard.
`
`a, b, c, …, h Working variables that are the w-bit words used in the computation of the
`hash values, H(i).
`
`The ith hash value. H(0) is the initial hash value; H(N) is the final hash value
`
`and is used to determine the message digest.
`
`The jth word of the ith hash value, where
`value i.
`
` is the left-most word of hash
`
`Constant value to be used for the iteration t of the hash computation.
`
`Number of zeroes appended to a message during the padding step.
`
`Length of the message, M, in bits.
`
`Number of bits in a message block, M(i).
`
`Message to be hashed.
`
`
`
`
`
`
`
`
`
`
`Kt
`
` k
`
`
`
`
`
`
`
` m
`
`
`
` M
`
`
`
`
`
`4
`
`A binary digit having a value of 0 or 1.
`
`A group of eight bits.
`
`Federal Information Processing Standard.
`
`)(iH
`
`)(i
`
`jH
`
`iH
`
`)(
`0
`
`
`
`

`

`Message block i, with a size of m bits.
`
`The jth word of the ith message block, where
`message block i.
`
` is the left-most word of
`
`Number of bits to be rotated or shifted when a word is operated upon.
`
`Number of blocks in the padded message.
`
`Temporary w-bit word used in the hash computation.
`
`Number of bits in a word.
`
`The tth w-bit word of the message schedule.
`
`
`M(i)
`
`
`
`
` n
`
`
`
`
`
` N
`
`
`
` T
`
`
`
` w
`
`
`Wt
`
`
`
`2.2.2 Symbols and Operations
`
`The following symbols are used in the secure hash algorithm specifications; each operates on w-
`bit words.
`
`
`Bitwise AND operation.
`
`Bitwise OR (“inclusive-OR”) operation.
`
`Bitwise XOR (“exclusive-OR”) operation.
`
`Bitwise complement operation.
`
`Addition modulo 2w.
`
`Left-shift operation, where x << n is obtained by discarding the left-most n
`bits of the word x and then padding the result with n zeroes on the right.
`
`Right-shift operation, where x >> n is obtained by discarding the right-
`most n bits of the word x and then padding the result with n zeroes on the
`left.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` +
`
`
`
`
`<<
`
`
`>>
`
`
`The following operations are used in the secure hash algorithm specifications:
`
`ROTL n(x)
`
`The rotate left (circular left shift) operation, where x is a w-bit word and n
` n < w, is defined by ROTL n(x)=(x << n)
`is an integer with 0
`
`(x >> w - n).
`
`
`ROTR n(x)
`
`The rotate right (circular right shift) operation, where x is a w-bit word
` n < w, is defined by ROTR n(x)=(x >> n)
`and n is an integer with 0
`
`(x << w - n).
`
`
`
`5
`
`)(i
`
`jM
`
`iM
`
`)(
`0
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`
`
`
`
`
`SHR n(x)
`
`The right shift operation, where x is a w-bit word and n is an integer with 0
` n < w, is defined by SHR n(x)=x >> n.
`
`6
`
`
`
`

`

`
`
`
`
`3.
`
`NOTATION AND CONVENTIONS
`
`3.1 Bit Strings and Integers
`The following terminology related to bit strings and integers will be used.
`
`
`1. A hex digit is an element of the set {0, 1,…, 9, a,…, f}. A hex digit is the
`representation of a 4-bit string. For example, the hex digit “7” represents the 4-bit
`string “0111”, and the hex digit “a” represents the 4-bit string “1010”.
`
`
`2. A word is a w-bit string that may be represented as a sequence of hex digits. To
`convert a word to hex digits, each 4-bit string is converted to its hex digit equivalent,
`as described in (1) above. For example, the 32-bit string
`
`
`
`
`
`
`
`
`
`
`
`1010 0001 0000 0011 1111 1110 0010 0011
`
`
`can be expressed as “a103fe23”, and the 64-bit string
`
`
`1010 0001 0000 0011 1111 1110 0010 0011
`0011 0010 1110 1111 0011 0000 0001 1010
`
`
`can be expressed as “a103fe2332ef301a”.
`
`Throughout this specification, the “big-endian” convention is used when expressing
`both 32- and 64-bit words, so that within each word, the most significant bit is stored
`in the left-most bit position.
`
`3. An integer may be represented as a word or pair of words. A word representation of
`the message length,
`, in bits, is required for the padding techniques of Sec. 5.1.
`
`An integer between 0 and 232-1 inclusive may be represented as a 32-bit word. The
`least significant four bits of the integer are represented by the right-most hex digit of
`the word representation. For example, the integer 291=28 + 25 + 21 + 20=256+32+2+1
`is represented by the hex word “00000123”.
`
`The same holds true for an integer between 0 and 264-1 inclusive, which may be
`represented as a 64-bit word.
`
` Y < 232.
` X < 232 and 0
` Z < 264, then Z=232X + Y, where 0
`If Z is an integer, 0
`Since X and Y can be represented as 32-bit words x and y, respectively, the integer Z
`can be represented as the pair of words (x, y). This property is used for SHA-1, SHA-
`224 and SHA-256.
`
`
`7
`
`
`
`
`
`
`
`
`
`

`

`
`
` Y < 264.
` X < 264 and 0
` Z < 2128, then Z=264X + Y, where 0
`If Z is an integer, 0
`Since X and Y can be represented as 64-bit words x and y, respectively, the integer Z
`can be represented as the pair of words (x, y). This property is used for SHA-384,
`SHA-512, SHA-512/224 and SHA-512/256.
`
`4. For the secure hash algorithms, the size of the message block - m bits - depends on the
`algorithm.
`
`a) For SHA-1, SHA-224 and SHA-256, each message block has 512 bits, which are
`represented as a sequence of sixteen 32-bit words.
`
`
`
`b) For SHA-384, SHA-512, SHA-512/224 and SHA-512/256 each message block
`has 1024 bits, which are represented as a sequence of sixteen 64-bit words.
`
`
`
`3.2 Operations on Words
`The following operations are applied to w-bit words in all five secure hash algorithms. SHA-1,
`SHA-224 and SHA-256 operate on 32-bit words (w=32), and SHA-384, SHA-512, SHA-
`512/224 and SHA-512/256 operate on 64-bit words (w=64).
`
`
`, and
`
` (see Sec. 2.2.2).
`
`,
`
`,
`
`1. Bitwise logical word operations:
`
`2. Addition modulo 2w.
`
`The operation x + y is defined as follows. The words x and y represent integers X and
` X < 2w and 0
` Y < 2w. For positive integers U and V, let
`Y, where 0
`be
`the remainder upon dividing U by V. Compute
`
`
`Z=( X + Y ) mod 2w.
`
`Then 0
`
` Z < 2w. Convert the integer Z to a word, z, and define z=x + y.
`
`
`3. The right shift operation SHR n(x), where x is a w-bit word and n is an integer with 0
` n < w, is defined by
`
`SHR n(x)=x >> n.
`
`This operation is used in the SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224
`and SHA-512/256 algorithms.
`
`4. The rotate right (circular right shift) operation ROTR n(x), where x is a w-bit word
`and n is an integer with 0
` n < w, is defined by
`
`
`
`ROTR n(x)=(x >> n)
`
`
` (x << w - n).
`
`8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`U mod
`
`V
`
`
`
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`Thus, ROTR n(x) is equivalent to a circular shift (rotation) of x by n positions to the
`right.
`
`This operation is used by the SHA-224, SHA-256, SHA-384, SHA-512, SHA-
`512/224 and SHA-512/256 algorithms.
`
`5. The rotate left (circular left shift) operation, ROTL n(x), where x is a w-bit word and n
` n < w, is defined by
`is an integer with 0
`
`
`
` (x >> w - n).
`
`ROTL n(x)=(x << n)
`
`Thus, ROTL n(x) is equivalent to a circular shift (rotation) of x by n positions to the
`left.
`
`This operation is used only in the SHA-1 algorithm.
`
`6. Note the following equivalence relationships, where w is fixed in each relationship:
`
`
`ROTL n(x)
`
`ROTR n(x)
`
` ROTR w-n(x)
`
` ROTL w-n(x)
`
`9
`
`
`
`
`
`
`
`
`
`

`

`
`
`
`
`4.
`
`FUNCTIONS AND CONSTANTS
`
`Functions
`4.1
`This section defines the functions that are used by each of the algorithms. Although the SHA-
`224, SHA-256, SHA-384,SHA-512, SHA-512/224 and SHA-512/256 algorithms all use similar
`functions, their descriptions are separated into sections for SHA-224 and SHA-256 (Sec. 4.1.2)
`and for SHA-384, SHA-512, SHA-512/224 and SHA-512/256 (Sec. 4.1.3), since the input and
`output for these functions are words of different sizes. Each of the algorithms include Ch(x, y, z)
`and Maj(x, y, z) functions; the exclusive-OR operation (
`) in these functions may be replaced
`by a bitwise OR operation () and produce identical results.
`
` Ch(x, y, z)=(x
`
`y)
`
` (
`
`x
`
`z)
`
`0
`
` t
`
` 19
`
`
`
`4.1.1 SHA-1 Functions
` t
`SHA-1 uses a sequence of logical functions, f0, f1,…, f79. Each function ft, where 0
` 79,
`operates on three 32-bit words, x, y, and z, and produces a 32-bit word as output. The function ft
`(x, y, z) is defined as follows:
`
`
`
`
`
`
`
`
`
`
`ft (x, y, z) =
`
` Parity(x, y, z)=x
`
`
` Maj(x, y, z)=(x
`
` y
`
` z
`
`20
`
` t
`
` 39
`
`y)
`
` (x
`
`z)
`
` (y
`
`z)
`
`40
`
` t
`
` 59
`
`(4.1)
`
`
` Parity(x, y, z)=x
`
` y
`
` z
`
`60
`
` t
`
` 79.
`
`
`
`4.1.2 SHA-224 and SHA-256 Functions
`
`SHA-224 and SHA-256 both use six logical functions, where each function operates on 32-bit
`words, which are represented as x, y, and z. The result of each function is a new 32-bit word.
`
`
`
`
`
` =
` =
`
`
`
`
`
`(4.2)
`(4.3)
`
`
`
`
`
`
`
`
`
`
`
`
` = ROTR 2(x)
`
` ROTR 13(x)
`
` ROTR 22(x)
`
` = ROTR 6(x)
`
` ROTR 11(x)
`
` ROTR 25(x)
`
` = ROTR 7(x)
` = ROTR 17(x)
`
` ROTR 18(x)
` ROTR 19(x)
`
` SHR 3(x)
` SHR 10(x)
`
`(4.4)
`
`(4.5)
`
`(4.6)
`
`(4.7)
`
`10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` ,( ), zyxCh
`
`
`
`(
`
`x
`
`
`
`
`
`z
`
`)
`
` y) (  x
`
`
`
`
`
`
`
` ,( ), zyxMaj
`
`
`
`(
`
`x
`
`
`
`
`
`
`
`
`
` y) (x z) y( 
`
`
`
`
`
`
`
`
`
`z
`
`)
`
`)(x
`
` }256
`
`{ 0
`
`
`
`
`
`)(x
`
` }256
`
`{ 1
`
`
`
`
`
`
`
`)(}256 x
`
`{ 0
`
`
`
`
`
`
`
`
`
`)(}256 x
`
`{ 1
`
`
`
`
`
`
`
`

`

`
`
`4.1.3 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Functions
`
`SHA-384, SHA-512, SHA-512/224 and SHA-512/256 use six logical functions, where each
`function operates on 64-bit words, which are represented as x, y, and z. The result of each
`function is a new 64-bit word.
`
`
`
`
`
` =
` =
`
`
`
`
`
`(4.8)
`(4.9)
`
`
`
`
`
`
`
`
`
` = ROTR 28(x)
`
` ROTR 34(x)
`
` ROTR 39(x)
`
` = ROTR 14(x)
`
` ROTR 18(x)
`
` ROTR 41(x)
`
` = ROTR 1(x)
` = ROTR 19(x)
`
` ROTR 8(x)
` ROTR 61(x)
`
` SHR 7(x)
` SHR 6(x)
`
`(4.10)
`
`(4.11)
`
`(4.12)
`
`(4.13)
`
`4.2 Constants
`
`4.2.1 SHA-1 Constants
`SHA-1 uses a sequence of eighty constant 32-bit words, K0, K1,…, K79, which are given by
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5a827999
`
`0
`
` t
`
` 19
`
`
`
`Kt =
`
`
`
`6ed9eba1
`
`8f1bbcdc
`
`
`
`
`
`ca62c1d6
`
`20
`
`40
`
` t
`
` 39
`
` t
`
` 59
`
`60
`
` t
`
` 79
`
`
`
`
`
`(4.14)
`
`
`4.2.2 SHA-224 and SHA-256 Constants
`
`SHA-224 and SHA-256 use the same sequence of sixty-four constant 32-bit words,
`. These words represent the first thirty-two bits of the fractional parts of
`
`the cube roots of the first sixty-four prime numbers. In hex, these constant words are (from left
`to right)
`
`
`428a2f98 71374491 b5c0fbcf e9b5dba5 3956c25b 59f111f1 923f82a4 ab1c5ed5
`d807aa98 12835b01 243185be 550c7dc3 72be5d74 80deb1fe 9bdc06a7 c19bf174
`e49b69c1 efbe4786 0fc19dc6 240ca1cc 2de92c6f 4a7484aa 5cb0a9dc 76f988da
`983e5152 a831c66d b00327c8 bf597fc7 c6e00bf3 d5a79147 06ca6351 14292967
`27b70a85 2e1b2138 4d2c6dfc 53380d13 650a7354 766a0abb 81c2c92e 92722c85
`a2bfe8a1 a81a664b c24b8b70 c76c51a3 d192e819 d6990624 f40e3585 106aa070
`19a4c116 1e376c08 2748774c 34b0bcb5 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
`748f82ee 78a5636f 84c87814 8cc70208 90befffa a4506ceb bef9a3f7 c67178f2
`
`
`
`11
`
`
`
` ,( ), zyxCh
`
`
`
`(
`
`x
`
`
`
`
`
`z
`
`)
`
` y) (  x
`
`
`
`
`
`
`
` ,( ), zyxMaj
`
`
`
`(
`
`x
`
`
`
`
`
`
`
`
`
` y) (x z) y( 
`
`
`
`
`
`
`
`
`
`z
`
`)
`
`)(x
`
` }512
`
`{ 0
`
`
`
`
`
`)(x
`
` }512
`
`{ 1
`
`
`
`
`
`
`
` )(}512 x
`
`{ 0
`
`
`
`
`
`
`
` )(}512 x
`
`{ 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`}256
`3
`
`{ 6
`
`
`,
`
`,
`
`K
`
`}256
`
`{ 1
`
`,
`
`K
`
`}256
`
`{ 0
`
`K
`
`

`

`
`
`4.2.3 SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Constants
`
`SHA-384, SHA-512, SHA-512/224 and SHA-512/256 use the same sequence of eighty constant
`64-bit words,
`. These words represent the first sixty-four bits of the
`
`fractional parts of the cube roots of the first eighty prime numbers. In hex, these constant words
`are (from left to right)
`
`
`428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
`3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
`d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
`72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
`e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
`2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
`983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
`c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
`27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
`650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
`a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
`d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
`19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
`391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
`748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
`90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
`ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
`06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
`28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
`4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817
`
`
`
`12
`
`}512
`9
`
`{ 7
`
`
`,
`
`,
`
`K
`
`}512
`
`{ 1
`
`,
`
`K
`
`}512
`
`{ 0
`
`K
`
`

`

`
`
`
`
`PREPROCESSING
`5.
`Preprocessing consists of three steps: padding the message, M (Sec. 5.1), parsing the message
`into message blocks (Sec. 5.2), and setting the initial hash value, H(0) (Sec. 5.3).
`
`Padding the Message
`5.1
`The purpose of this padding is to ensure that the padded message is a multiple of 512 or 1024
`bits, depending on the algorithm. Padding can be inserted before hash computation begins on a
`message, or at any other time during the hash computation prior to processing the block(s) that
`will contain the padding.
`
`5.1.1 SHA-1, SHA-224 and SHA-256
`
`Suppose that the length of the message, M, is
` bits. Append the bit “1” to the end of the
`message, followed by k zero bits, where k is the smallest, non-negative solution to the equation
`. Then append the 64-bit block that is equal to the number
` expressed
`using a binary representation. For example, the (8-bit ASCII) message “abc” has length
`, so the message is padded with a one bit, then
` zero bits, and then
`the message length, to become the 512-bit padded message
`
`
`
`
`
`
`
`The length of the padded message should now be a multiple of 512 bits.
`
`64
`423
` 
`01100001 01100010 01100011 1 00…00 00…011000
`  
`
`
`“a”
`“b”
`“c”
`
`
`
`5.1.2 SHA-384, SHA-512, SHA-512/224 and SHA-512/256
`
`Suppose the length of the message M, in bits, is
` bits. Append the bit “1” to the end of the
`message, followed by k zero bits, where k is the smallest non-negative solution to the equation
`. Then append the 128-bit block that is equal to the number
` expressed
`using a binary representation. For example, the (8-bit ASCII) message “abc” has length
`, so the message is padded with a one bit, then
` zero bits, and then
`the message length, to become the 1024-bit padded message
`128
`
`871
` 
`
`01100001 01100010 01100011 1 00…00 00…011000
`  
`
`
`“a”
`“b”
`“c”
`
`
`
`
`
`
`
`The length of the padded message should now be a multiple of 1024 bits.
`
`
`
`
`
`13
`
`
`
`
`
`
`
`1  k
`
`
`
`448
`
`mod
`
`512
`
`
`
`
`
` 38 
`
`24
`
`448
`
`
`
`24(
`
`
`
` )1 
`
`423
`
`24
`
`
`
`
`
`
`
`1  k
`
`
`
`896
`
`mod
`
`1024
`
`
`
`
`
` 38 
`
`24
`
`896
`
`
`
`24(
`
`
`
` )1 
`
`871
`
`24
`
`

`

`
`
`Parsing the Message
`5.2
`The message and its padding must be parsed into N m-bit blocks.
`
`5.2.1 SHA-1, SHA-224 and SHA-256
`
`For SHA-1, SHA-224 and SHA-256, the message and its padding are parsed into N 512-bit
`blocks, M(1), M(2),…, M(N). Since the 512 bits of the input block may be expressed as sixteen 32-
`bit words, the first 32 bits of message block i are denoted
`, the next 32 bits are
`, and so
`
`on up to
`
`.
`
`5.2.2 SHA-384, SHA-512, SHA-512/224 and SHA-512/256
`
`For SHA-38