Generalized Secure Hash Algorithm

4.2.1.1 The Length of One Word and the Number of Output Words

First, we define the length of one word as n such that n = 32 in SHA-224 and SHA-256, and n = 64 in SHA-384 and SHA-512.

Second, we should define the number of output words m. For example, the output length of SHA-256 is 256 bits, 8 words equally (m = 8, 256 bits = 8 word  32 bits/word). Similarly, m = 6 in SHA-384 (384 bits = 6 words  64 bits/word). On the basis of the SHA family, we define the value of m (6  m  8), and the length of one word/block n is multiple of 32. With the m and n, we can generalize the SHA family to SHA-mn.

In SHA-mn, where m = {6, 7, 8}, and n = {32, 64}, we find two additional formats, called SHA-192 (m = 6 and n =32) and SHA-448 (m = 7 and n =64). If SHA family includes SHA-192 and SHA-448, we call it Complete SHA family. The Complete SHA family is defined below.

Definition 2 Complete SHA family is defined:

Complete-SHA = {SHA-192, SHA-224, SHA-256, SHA-384, SHA-448, SHA-512}

Eq 24

Table 11 Values of m and n for SHA family

Property SHA- nm

Algorithms SHA-192 SHA-224 SHA-256 SHA-384 SHA-448 SHA-512

Word Size (n) 32 64

# of Output

Words (m) 6 7 8 6 7 8

Message Digest

Size 192 224 256 384 448 512

Block Size 512 1024

Security¹ 2⁹⁶ 2¹¹² 2¹²⁸ 2¹⁹² 2²²⁴ 2²⁵⁶

4.2.1.2 Padding the Message M

The section generalizes the padding step in SHA-mn. Assuming that M is l bits (0

 l < 2²ⁿ), the padding process should satisfy the following two rules:

 If we have l  14n-1 (mod 16n), we should pad “1||0^*||(l)2” up to the length

of _n

n l 16 16 

 . Notice that “1||0^*” denotes that “1” is followed by zero “0”

bit or more than one bits and the (l)2 denotes the length of message in binary.

 If we have l >14n-1 (mod 16n), we should pad “1||0^*||(l)2” up to the length

of _n

n

l 1 16 16 



 



 



 . Notice that “1||0^*” denotes that “1” is followed by zero

“0” bit or more than one bits and the (l)2 denotes the length of message in binary.

1 The security complexity is under birthday attack.

Algorithm 10 Padding 1: If l  14n - 1 (mod 16n)

2: Then M’= M || 1 || 0^* || ( 1 )2 such that |M’| = _n

n 16 16

1 



3: Else M’= M || 1 || 0^* ||( 1 )2 such that |M’| = _n

n 1 16 16

1 

 



 





4: End IF

4.2.1.3 Parsing the Padded Message into Message Blocks

Based on the properties of SHA family, SHA-mn parses the padded message into N 16 n bits blocks denoted by M⁽¹⁾…M^(N). For each 16  n-bit M⁽ⁱ⁾, the M will be divided into sixteen n-bit sub-blocks denoted by M0(i)…M15(i).

Algorithm 11 Parsing 1: parsing M’ into M⁽¹⁾…M^(N) 2: For i  1 to N Do

3: M⁽ⁱ⁾ = M0(i) || M1(i) || … || M15(i), | M⁽ⁱ⁾ | = 16n 4: End For

4.2.1.4 Setting the Initial Hash Values

The initial hash values consist of eight n-bit words denoted by H0(0)…H7(0). The following are the rules of setting initial hash value in each SHA family members.

 In SHA-256(or in SHA-512), each initial hash value is 32(or 64) bits which are the first 32(or 64) bits of the fractional parts of the square roots of the 1^st eight prime numbers. The first eight prime numbers are 2, 3, 5, 7, 11, 13, 17 and 19.

 In SHA-224, each initial hash value is 32 bits which are the 33^th ~ 64^th bits of the fractional parts of the square roots of the 9^th through 16^th prime

numbers. The 9^th through 16^th prime numbers are 23, 29, 31, 37, 41, 43, 47 and 53.

 In SHA-384, each initial hash value is 64 bits which are the first 64 bits of the fractional parts of the square roots of the 9^th through 16th prime numbers. The 9^th through 16^th prime numbers are 23, 29, 31, 37, 41, 43, 47 and 53.

Based on SHA family, the paper defines initial hash value for the additional SHA-192 and SHA-448.

 In SHA-192(or in SHA-448), each initial hash value is 32(or 64) bits, which are the first 32(or 64) bits of the fractional parts of the square roots of the 17^th through 24^th prime numbers. The 17^th through 24^th prime numbers are

Figure 13 Initial values of standard SHA family



Figure 14 Initial values of SHA-192 and SHA-448

We generalize the properties of setting initial hash value for SHA-mn:

 For some x, if m = 8 and n = 64x-32 or 64x, we map to 1^st to 8^th prime numbers. And the 64x - 32 bits are obtained by truncating the last 32 bits of the 64x bits.

 For some x, if m = 7 and n =64x - 32 or m = 6 and n = 64x, we map to 9^th to 16^th prime numbers. The 64x -32 bits are obtained by truncating the first 32 bits of the 64x bits.

 For some x, if m = 6 and n =64x - 32 or m = 7 and n = 64x, we map to 17^th ~ 24^th prime numbers. The 64x - 32 bits are obtained by truncating the last 32 bits of the 64x bits.



Figure 15 Initial values of SHA-mn

4.2.1.5 Setting the Constants

In SHA family, SHA-224 and SHA-256 obtain 64 constants by computing the first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers denoted by K0{256}…K63{256}. Similarly, SHA-384 and SHA-512 obtain 80 constants by computing the first 64 bits of the fractional parts of the cube roots of the first 80 prime numbers denoted by K0{512}…K79{512}.

We can compute the constants by computing the first n bits of the fractional parts of the cube roots of the first f13(n) prime numbers.

 

13 n  n

f Eq 25

4.2.1.6 Boolean Expressions and Functions

In SHA-mn, the paper renames Ch() and Maj() functions to g1 and g2 and merges some  and  functions described in SHA family. Note that ROTR^k(x) means to rotate right k bits, and SHR^k(x) means to rotate right k bits.

4.2.1.7 Message Schedule

In SHA-224 and SHA-256, the padded message is parsed into N 512-bit blocks, M⁽¹⁾…M^(N), for each 512-bit block, M⁽ⁱ⁾, which is divided into 16 32-bit blocks, M0(i)…M15(i). In SHA-384 and SHA-512, for each 1024-bits block, M⁽ⁱ⁾, which is divided into 16 64-bit blocks, M0(i)…M15(i). The message schedule {Wt} is implemented as following.

 

4.2.1.8 Initialize the Eight Working Variables

The step initials the eight working variables (a ~ h), with the (i-1)^th hash value.

For each message block, M⁽ⁱ⁾ , i = 1,2,3…N, is processed in order, the eight working variables a ~ h are given as

 a = H0(i-1), b = H1(i-1), c = H2(i-1), d = H3(i-1), e = H4(i-1), f = H5(i-1), g = H6(i-1), h

= H7(i-1) , and are generalized as aj = Hj(i - 1) (0 j  7).

4.2.1.9 For-Loop Operation

The paper generalizes the for-loop operation of SHA-mn, which is the core part of SHA family algorithms. For each message block M⁽ⁱ⁾, i = 1, 2, …, N, should be executed f13(n) rounds. Notice that addition (+) is performed modulo 2ⁿ.

Algorithm 12 For-loop Operations 1: For t = 0 to f13(n)-1

2: T1 = a7 + g4(a4) + g1(a4, a5, a6) + Kt(mn) +Wt; 3: T2 = g3(a0) + g2(a0, a1, a2);

4: a7 = a6; a6 = a5; a5 = a4; a4 = a3 + T1; 5: a3 = a2; a2 = a1; a1 = a0; a0 = T1 + T2; 6: End For

4.2.1.10 Compute the i^th Intermediate Hash Value H⁽ⁱ⁾

For each 16  n-bit block M⁽ⁱ⁾, i = 1,2…N, the intermediate message digests in the SHA family standard execute the following operations:

 H0(i) = a + H0(i-1); H1(i) = b+ H1(i-1); H2(i) = c+ H2(i-1); H3(i) = d+ H3(i-1); H4(i) = e + H4(i-1); H5(i) = f + H5(i-1); H6(i) = g + H6(i-1); H7(i) = h+ H7(i-1); The paper generalizes the equations as follows:

 Hj(i) = aj + Hj(i-1), 0 ≤ j ≤7.

4.2.1.11 The Message Digest

After repeating steps N times (i.e., After processing M(N)), the m  n bits message digest of the message is:

 H0(N) || H1(N) || … || H_m-1(N).