Cryptography Research Group
Menu

SHA-3 Hardware

The SHA-3 hardware page (work in progress) is a collection of our designs of the cryptographic hash functions submitted to the SHA-3 contest. It aims to provide an overview of FPGA and ASIC designs to aid in testing and analysis of all submissions. Source code is freely given for a wrapper interface to allow testing of designs and the source code for the hash functions themselves are to be added at a later stage.

Current hardware results can be found at the SHA-3 Zoo, and an alternate interface and design results may be found at RCIS and Athena.

We presented our implementation results at the NIST Second SHA-3 Candidate Conference at Santa Barbara, California, USA. August 17th - August 20th, 2010.

Updated versions of the paper and presentation can be found here.

The results were also presented at the 20th International Conference on Field Programmable Logic and Applications, Milano, Politecnico di Milano, Italy. August 31 - September 2, 2010

This paper is available here. 

We present a hardware wrapper interface which attempts to encompass all the competition entries (and indeed, hash algorithms in general) across any number of both FPGA and ASIC hardware platforms. This interface comprises communications and padding, and attempts to standardise the hashing algorithms to allow accurate and fair area, timing and power measurement between the different designs.

Our wrapper design is currently on version 2.

 

Wrapper v.2

MES = Message length 
DIG = Digest length 
CTW = Counter width 
MBL = Maximum block length 
SR = Shift register
 

Counter Unit

  • Needed for all except: Keccak, Luffa, Cubehash, Shabal
  • Groestl counts blocks, not message length

Padder

  • Slight variations between each hash function

Core Components

  • Multiplexer to select the type of padding (100....., 000...., CTR, etc) for the current 32-bit block
  • 32, 32-bit shift registers (1 for each shift value)
  • A multiplexer with the outputs of the 32 SRs as input. Choice is made based on the message lenth "mod 32"

Controller

Varies significantly based on the hash function

Typical FSM:

  • Read data in
  • Padding state
  • Load to HF
  • Read next block
  • Wait for message digest

 

Cubehash, Luffa, Shabal and Skein use this padder almost exactly

Keccak requires a more specialized design (not shown here)

Fugue uses this padder but also uses the "optional" mux input for a counter and there is no shift registers required.

All the others use this padder BUT also use the "optional" mux input for the counter value.

Padding v.2


A paper presenting the details and communications for our first wrapper can be found here.

The Wrapper is made up of four individual subsections:

  • The Hash function Top level.
  • The padding scheme required.
  • The controller.
  • The output.
The padding and controller sections each have a subsection (sub-pad and sub-control) to allow reuse between similar hash functions.
The wrapper also includes a package file (Sub-Wrapper) which holds the bus width size, currently set to 32-bits.

We further subdivided the wrapper into individual files for each hash design (and digest size where necessary), as opposed to originally using an all encompassing wrapper and using generics to select the files required. We do this for a number of reasons.
  • To alleviate the requirement for a user to have all designs completed in VHDL/Verilog prior to synthesis.
  • To reduce long synthesis time.
In this way, a user needs only select the relevant link from the table below for the zipped hash function design and wrapper they wish to use. Alternatively, the version 1 wrapper is available seperately.

 

 


 

Wrapper VHDL Diagram
Hash DesignDigest Size & Wrapper v.2Wrapper v.1
SHA-2**  224  256 
 Wrapper v.1
SHA-2**  384  512 Wrapper v.1
Blake**^ 224  256 
 Wrapper v.1
Blake**^ 384  512 Wrapper v.1
BMW** 224  256 
 Wrapper v.1
BMW** 384  512 Wrapper v.1
Cubehash* 224  256 384  512 Wrapper v.1
Echo**^ 224  256 
 Wrapper v.1
Echo**^ 384  512 Wrapper v.1
Fugue**** 224 256  Wrapper v.1
Fugue**** 384  Wrapper v.1
Fugue**** 512  Wrapper v.1
Groestl** 224 256 Wrapper v.1
Groestl** 384 512  Wrapper v.1
Hamsi** 224 256 Wrapper v.1
Hamsi** 384 512 Wrapper v.1
JH* 224 256 384 512  Wrapper v.1
Keccak*** 224 256 384 512 Wrapper v.1
Luffa** 224 256 Wrapper v.1
Luffa** 384 Wrapper v.1
Luffa** 512  Wrapper v.1
Shabal* 224 256 384 512 Wrapper v.1
SHAvite-3**^ 224 256 Wrapper v.1
SHAvite-3**^ 384 512 Wrapper v.1
SIMD**^^^ 224 256 Wrapper v.1
SIMD**^^^ 384 512 Wrapper v.1
Skein 512*^^ 224 256 384 512 Wrapper v.1
  • * area/throughput equal for all message digests, different IV & truncation
  • ** area/throughput equal for 224/256 and 384/512, different IV & truncation
  • *** throughput varies for each message digest, area & critical path the same
  • **** area/throughput equal for 224/256, different IV & truncation, different for 384 & 512
  • ^ HAIFA construction so MES = (block size + CTW)
  • ^^ also requires MES = (block size + CTW)
  • ^^^ 64-bit counter implemented, but it can be any size up to MES

 

The following table presents the different input message and state sizes for the SHA-3 hash functions and their digest variants. It can be used with the example testbench given below to choose the correct values required for hash function testing.

 

 

 

DIGEST 224 256 384 512
  CTW MES SAL CTW MES SAL CTW MES SAL CTW MES SAL
SHA-2** 64 512 0 64 512 0 128 1024 0 128 1024 0
Blake**^ 64 576 128 64 576 128 128 1152 256 128 1152 256
BMW** 64 512 0 64 512 0 64 1024 0 64 1024 0
Cubehash* 5 256 0 5 256 0 5 256 0 5 256 0
Echo**^ 64 1600 128 64 1600 128 64 1088 128 64 1088 128
Fugue**** 64 32 0 64 32 0 64 32 0 64 32 0
Groestl** 64 512 0 64 512 0 64 1024 0 64 1024 0
Hamsi** 64 32 0 64 32 0 64 64 0 64 64 0
JH* 128 512 0 128 512 0 128 512 0 128 512 0
Keccak*** 0 1152 0 0 1088 0 0 832 0 0 576 0
Luffa** 5 256 0 5 256 0 5 256 0 5 256 0
Shabal* 5 512 0 5 512 0 5 512 0 5 512 0
SHAvite-3**^ 64 576 256 64 576 256 128 1152 512 128 1152 512
SIMD**^^^ 64 512 0 64 512 0 64 1024 0 64 1024 0
Skein*^^ 96 608 0 96 608 0 96 608 0 96 608 0

The following table presents the different padding schemes for the SHA-3 hash functions.
Note: All inputs (inclusive of padding) are taken left to right as in the NIST specifications. Any endianess is dealt with internally to the hash function.

All IVs are also stored internally in the hash function.

 

 

 

 

Padding  
sha224/256 1, zeros until congruent (448 mod 512), 64-bit message length
sha384/512 1, zeros until congruent (896 mod 1024), 128-bit message length
blake224 1, zeros, until congruent (448 mod 512), 64-bit message length
blake256 1, zeros, until congruent (447 mod 512), 1, 64-bit message length
blake384 1, zeros, until congruent (895 mod 1024), 128-bit message length
blake512 1, zeros, until congruent (894 mod 1024), 1, 128-bit message length
bmw224/256 1, zeros until congruent (448 mod 512), 64-bit message length
bmw384/512 1, zeros until congruent (960 mod 1024), 64-bit message length
cubehash 1, zeros until a multiple of 256 (256 = 8 * b, b=32)
echo224/256 1, zeros until congruent (1392 mod 1536), 16-bit message digest,128-bit message length
echo384/512 1, zeros until congruent (880 mod 1024), 16-bit message digest, 128-bit message length
fugue zeros until a multiple of 32, 64-bit message length
groestl224/256 1, zeros until congruent (448 mod 512), 64-bit block counter
groestl384/512 1, zeros until congruent (960 mod 1024), 64-bit block counter
hamsi224/256 1, zeros until a multiple of 32, 64-bit message length
hamsi384/512 1, zeros until a multiple of 64, 64-bit message length
jh 1, zeros until congruent (384 mod 512), 128-bit message length, min 512-bits added
keccak224 1, zeros until a multiplie of 8, append 8-bit representation of 28, append 8-bit representation of 1152/8, 1, zeros until a multiple of 1152
keccak256 1, zeros until a multiplie of 8, append 8-bit representation of 32, append 8-bit representation of 1088/8, 1, zeros until a multiple of 1088
keccak384 1, zeros until a multiplie of 8, append 8-bit representation of 48, append 8-bit representation of 832/8, 1, zeros until a multiple of 832
keccak512 1, zeros until a multiplie of 8, append 8-bit representation of 64, append 8-bit representation of 576/8, 1, zeros until a multiple of 576
luffa 1, zeros until a multiple of 256
shabal 1, zeros until a multiple of 512
shavite3-224/256 1, zeros until congruent (432 mod 512), 64-bit message length, 16-bit digest length
shavite3-384/512 1, zeros until congruent (880 mod 1024), 128-bit message length, 16-bit digest length
simd224/256 zeros until a multiple of 512, extra block with message length
simd384/512 zeros until a multiple of 1024, extra block with message length
skein if a mutliple of 8, zeros until a mutliple of 512, else 1, zeros until a multiple of 512 

FPGA Implementations of the Round Two SHA-3 Candidates
Brian Baldwin,Andrew Byrne, Liang Lu, Mark Hamilton, Neil Hanley, Maire O'Neill and William P. Marnane
20th International Conference on Field Programmable Logic and Applications -FPL 2010, August 31 - September 2 2010

 

FPGA Implementations of the Round Two SHA-3 Candidates
Brian Baldwin,Andrew Byrne, Liang Lu, Mark Hamilton, Neil Hanley, Maire O'Neill and William P. Marnane
The Second SHA-3 Candidate Conference. August 23-24, 2010
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/Program_SHA3_Aug2010.pdf

 

 

A Hardware Wrapper for the SHA-3 Hash Algorithms
Brian Baldwin,Andrew Byrne, Liang Lu, Mark Hamilton, Neil Hanley, Maire O'Neill and William P. Marnane
Cryptology ePrint Archive, Report 2010/124, 2010
http://eprint.iacr.org/2010/124
(To appear at The 21st Irish Signals and Systems Conference, ISSC 2010, 23rd - 24th June 2010)

An FPGA Technologies Area Examination of the SHA-3 Hash Candidate Implementations
Brian Baldwin, William P. Marnane
Cryptology ePrint Archive, Report 2009/603, 2009
http://eprint.iacr.org/2009/603

FPGA Implementations of SHA-3 Candidates:CubeHash, Groestl, Lane, Shabal and Spectral Hash
Brian Baldwin, Andrew Byrne, Mark Hamilton, Neil Hanley,Robert P. McEvoy, Weibo Pan and William P. Marnane
Digital Systems Design, Euromicro Symposium on -DSD 2009, pages 783-790. 2009
http://www.computer.org/portal/web/csdl/doi/10.1109/DSD.2009.162
Alternate (longer) version:
http://eprint.iacr.org/2009/342

This material is based upon works supported by the Science Foundation Ireland under Grant No. 06/MI/006.

The support of the Informatics Commercialisation initiative of Enterprise Ireland is gratefully acknowledged.

Close X