SHA-3:根据 FIPS-202 执行 Theta 函数未按预期运行

SHA-3: Implementation of Theta function according to FIPS-202 not behaving as expected

我正在按照官方 FIPS-202 document 在 Verilog 中实现 SHA-3。 我的状态用一维寄存器表示,我用一个宏函数从文档中的(x,y,z)坐标计算出对应的状态索引:

A[x, y, z] = S [W(5y + x) + z]W = 64(第 9 页)

我严格按照第 11 页上的指南进行操作并得出以下结论:

// Macros for transforming dimensions
`define sub_1(x) (x == 0 ? 4 : x - 1)
`define add_1(x) (x == 4 ? 0 : x + 1)
`define sub_1_W(x) (x == 0 ? (W - 1) : x - 1)
`define s(x,y,z) ((W * ((5 * y) + x)) + z)
`define s_xz(x,z) ((W * x) + z)

// Wires
wire [0:(1600 - 1)] absorbed_data, after_theta;
wire [0:((5 * 64) - 1)] C, D; 

genvar x, z;
for(x = 0; x < 5; x = x + 1) begin
    for(z = (W - 1); z >= 0; z = z - 1) begin
        // Step 1
        assign C[`s_xz(x,z)] = absorbed_data[`s(x,0,z)] ^ absorbed_data[`s(x,1,z)] ^ absorbed_data[`s(x,2,z)] ^ absorbed_data[`s(x,3,z)] ^ absorbed_data[`s(x,4,z)];
        // Step 2
        assign D[`s_xz(x,z)] = C[`s_xz(`sub_1(x),z)] ^ C[`s_xz(`add_1(x),`sub_1_W(z)];
    end
end    

genvar x, y, z;
generate
    for(x = 0; x < 5; x = x + 1) begin
        for(y = 0; y < 5; y = y + 1) begin
            for(z = 0; z < W; z = z + 1) begin
                // Step 3
                assign after_theta[`s(x,y,z)] = absorbed_data[`s(x,y,z)] ^ D[`s_xz(x,z)];
            end
        end
    end
endgenerate

我目前遇到的问题似乎与 Theta 函数有关。例如对于 SHA-224,一条空消息应该产生中间结果和最终输出,如 this document. 所示 奇怪的是,我得到相同的 absorbed_data (06 00 ... 00 80) 但 CD:

的值不同

C

as is: 06 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 06 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00

D

as is: 00 00 00 00 00 00 00 00 | 06 00 00 00 00 00 01 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 0c 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 07 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 0c

首先,对于 C,位顺序似乎有所不同,但不是位级别而是字节级别(因为 06 保持 06)。 其次,对于 D 我得到 06 00 .. 01 00 而正确的结果应该是 00 .. 00 07。这对我的实现来说是不可能的,因为根据 FIPS-202,z 处的位只能移动一个位置 ((z - 1) mod w)。

未来情况下D会产生正确的结果,因为06 ^ (80 << 1) = 07.

总而言之,我想说我的实现的行为符合 FIPS-202 中的定义,对吗?

知道我做错了什么吗?

提前致谢!

我想我找到了解决办法。 它在 FIPS 202 B.1(从第 26 页开始)的附录中进行了描述。第 25 页给出了关于该主题的提示:

The convention for interpreting hexadecimal strings as bit strings for the inputs and outputs of the SHA-3 examples is different from the convention for other functions on the examples page. The conversion functions between hexadecimal strings and SHA-3 bit strings are specified in Sec. B.1. For byte-aligned messages, the hexadecimal forms of the padding for the SHA-3 functions are described in Sec. B.2.

cryptologie.net.

上有关于如何规避此问题的很好的解释