SHA-3:根据 FIPS-202 执行 Theta 函数未按预期运行
SHA-3: Implementation of Theta function according to FIPS-202 not behaving as expected
我正在按照官方 FIPS-202 document 在 Verilog 中实现 SHA-3。
我的状态用一维寄存器表示,我用一个宏函数从文档中的(x,y,z)坐标计算出对应的状态索引:
A[x, y, z] = S [W(5y + x) + z]
、W = 64
(第 9 页)
我严格按照第 11 页上的指南进行操作并得出以下结论:
// Macros for transforming dimensions
`define sub_1(x) (x == 0 ? 4 : x - 1)
`define add_1(x) (x == 4 ? 0 : x + 1)
`define sub_1_W(x) (x == 0 ? (W - 1) : x - 1)
`define s(x,y,z) ((W * ((5 * y) + x)) + z)
`define s_xz(x,z) ((W * x) + z)
// Wires
wire [0:(1600 - 1)] absorbed_data, after_theta;
wire [0:((5 * 64) - 1)] C, D;
genvar x, z;
for(x = 0; x < 5; x = x + 1) begin
for(z = (W - 1); z >= 0; z = z - 1) begin
// Step 1
assign C[`s_xz(x,z)] = absorbed_data[`s(x,0,z)] ^ absorbed_data[`s(x,1,z)] ^ absorbed_data[`s(x,2,z)] ^ absorbed_data[`s(x,3,z)] ^ absorbed_data[`s(x,4,z)];
// Step 2
assign D[`s_xz(x,z)] = C[`s_xz(`sub_1(x),z)] ^ C[`s_xz(`add_1(x),`sub_1_W(z)];
end
end
genvar x, y, z;
generate
for(x = 0; x < 5; x = x + 1) begin
for(y = 0; y < 5; y = y + 1) begin
for(z = 0; z < W; z = z + 1) begin
// Step 3
assign after_theta[`s(x,y,z)] = absorbed_data[`s(x,y,z)] ^ D[`s_xz(x,z)];
end
end
end
endgenerate
我目前遇到的问题似乎与 Theta 函数有关。例如对于 SHA-224,一条空消息应该产生中间结果和最终输出,如 this document. 所示
奇怪的是,我得到相同的 absorbed_data
(06 00 ... 00 80
) 但 C
和 D
:
的值不同
C
as is: 06 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 06 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
D
as is: 00 00 00 00 00 00 00 00 | 06 00 00 00 00 00 01 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 0c 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 07 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 0c
首先,对于 C
,位顺序似乎有所不同,但不是位级别而是字节级别(因为 06
保持 06
)。
其次,对于 D
我得到 06 00 .. 01 00
而正确的结果应该是 00 .. 00 07
。这对我的实现来说是不可能的,因为根据 FIPS-202,z
处的位只能移动一个位置 ((z - 1) mod w
)。
在未来情况下D
会产生正确的结果,因为06 ^ (80 << 1) = 07
.
总而言之,我想说我的实现的行为符合 FIPS-202 中的定义,对吗?
知道我做错了什么吗?
提前致谢!
我想我找到了解决办法。
它在 FIPS 202 B.1(从第 26 页开始)的附录中进行了描述。第 25 页给出了关于该主题的提示:
The convention for interpreting hexadecimal strings as bit strings for the inputs and outputs of the SHA-3 examples is different from the convention for other functions on the examples page. The conversion functions between hexadecimal strings and SHA-3 bit strings are specified in Sec. B.1. For byte-aligned messages, the hexadecimal forms of the padding for the SHA-3 functions are described in Sec. B.2.
上有关于如何规避此问题的很好的解释
我正在按照官方 FIPS-202 document 在 Verilog 中实现 SHA-3。 我的状态用一维寄存器表示,我用一个宏函数从文档中的(x,y,z)坐标计算出对应的状态索引:
A[x, y, z] = S [W(5y + x) + z]
、W = 64
(第 9 页)
我严格按照第 11 页上的指南进行操作并得出以下结论:
// Macros for transforming dimensions
`define sub_1(x) (x == 0 ? 4 : x - 1)
`define add_1(x) (x == 4 ? 0 : x + 1)
`define sub_1_W(x) (x == 0 ? (W - 1) : x - 1)
`define s(x,y,z) ((W * ((5 * y) + x)) + z)
`define s_xz(x,z) ((W * x) + z)
// Wires
wire [0:(1600 - 1)] absorbed_data, after_theta;
wire [0:((5 * 64) - 1)] C, D;
genvar x, z;
for(x = 0; x < 5; x = x + 1) begin
for(z = (W - 1); z >= 0; z = z - 1) begin
// Step 1
assign C[`s_xz(x,z)] = absorbed_data[`s(x,0,z)] ^ absorbed_data[`s(x,1,z)] ^ absorbed_data[`s(x,2,z)] ^ absorbed_data[`s(x,3,z)] ^ absorbed_data[`s(x,4,z)];
// Step 2
assign D[`s_xz(x,z)] = C[`s_xz(`sub_1(x),z)] ^ C[`s_xz(`add_1(x),`sub_1_W(z)];
end
end
genvar x, y, z;
generate
for(x = 0; x < 5; x = x + 1) begin
for(y = 0; y < 5; y = y + 1) begin
for(z = 0; z < W; z = z + 1) begin
// Step 3
assign after_theta[`s(x,y,z)] = absorbed_data[`s(x,y,z)] ^ D[`s_xz(x,z)];
end
end
end
endgenerate
我目前遇到的问题似乎与 Theta 函数有关。例如对于 SHA-224,一条空消息应该产生中间结果和最终输出,如 this document. 所示
奇怪的是,我得到相同的 absorbed_data
(06 00 ... 00 80
) 但 C
和 D
:
C
as is: 06 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 06 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
D
as is: 00 00 00 00 00 00 00 00 | 06 00 00 00 00 00 01 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 0c 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 07 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 0c
首先,对于 C
,位顺序似乎有所不同,但不是位级别而是字节级别(因为 06
保持 06
)。
其次,对于 D
我得到 06 00 .. 01 00
而正确的结果应该是 00 .. 00 07
。这对我的实现来说是不可能的,因为根据 FIPS-202,z
处的位只能移动一个位置 ((z - 1) mod w
)。
在未来情况下D
会产生正确的结果,因为06 ^ (80 << 1) = 07
.
总而言之,我想说我的实现的行为符合 FIPS-202 中的定义,对吗?
知道我做错了什么吗?
提前致谢!
我想我找到了解决办法。 它在 FIPS 202 B.1(从第 26 页开始)的附录中进行了描述。第 25 页给出了关于该主题的提示:
上有关于如何规避此问题的很好的解释The convention for interpreting hexadecimal strings as bit strings for the inputs and outputs of the SHA-3 examples is different from the convention for other functions on the examples page. The conversion functions between hexadecimal strings and SHA-3 bit strings are specified in Sec. B.1. For byte-aligned messages, the hexadecimal forms of the padding for the SHA-3 functions are described in Sec. B.2.