#sha-256 #hash #round #words #32-bit #numbers #bitcoin

bitcoin-sha256

SHA-256 and SHA-512 are novel hash functions computed with eight 32-bit and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. (from wikipedia)

4 releases

0.1.16-alpha.0 Mar 31, 2023
0.1.13-alpha.0 Mar 17, 2023
0.1.12-alpha.0 Jan 18, 2023
0.1.10-alpha.0 Jan 17, 2023

#26 in #32-bit

Download history 383/week @ 2024-03-26 195/week @ 2024-04-02 132/week @ 2024-04-09 209/week @ 2024-04-16 172/week @ 2024-04-23 159/week @ 2024-04-30 177/week @ 2024-05-07 168/week @ 2024-05-14 178/week @ 2024-05-21 166/week @ 2024-05-28 132/week @ 2024-06-04 97/week @ 2024-06-11 241/week @ 2024-06-18 136/week @ 2024-06-25 16/week @ 2024-07-02 136/week @ 2024-07-09

533 downloads per month
Used in 96 crates (6 directly)

MIT license

455KB
1.5K SLoC

Bitcoin SHA-256

This Rust crate provides a direct translation of the SHA-256 implementation used in the Bitcoin codebase from C++ to Rust. It is currently in the process of translation, and some function bodies may still be in the process of being translated.

The crate provides several types and functions related to SHA-256 hash computations, including a Sha256 struct that represents the state of the hash computation, as well as various constants and functions used in the SHA-256 algorithm.

The SHA-256 hash function is widely used in the Bitcoin system for various purposes, including block hashing, transaction hashing, and mining. It is a cryptographic hash function that takes an input message of arbitrary length and produces a fixed-size output of 256 bits.

The implementation of the SHA-256 algorithm involves several steps, including message padding, chunking, and multiple rounds of hashing, each consisting of several operations such as shifting, XOR, AND, OR, addition, and rotation.

In addition to the basic SHA-256 implementation, this crate also provides several optimized implementations for different CPU architectures, such as AVX2, SSE4, and SHANI, as well as functions for loading and saving data in little-endian byte order, which is commonly used in the Bitcoin system.

Overall, the bitcoin-sha256 crate provides a reliable and efficient implementation of the SHA-256 hash function, which is an essential component of the Bitcoin system's security and integrity.

105> thanks -- could you teach me how this algorithm works in mathematical detail?

Sure! SHA-256 is a hash function that takes an input message of arbitrary length and produces a fixed-length 256-bit output known as the hash. The hash function is based on several mathematical operations, including modular addition, bitwise logical operations, and circular shifts.

The SHA-256 algorithm processes the input message in 512-bit blocks, each of which is processed in several rounds to produce the final hash value. Here is a step-by-step breakdown of the SHA-256 algorithm:

  1. Padding: The input message is padded with a series of bits so that its length is congruent to 448 modulo 512. The padding consists of a single bit set to 1 followed by a series of zeros, and a 64-bit representation of the original message length.

  2. Break message into 512-bit blocks: The padded message is broken up into 512-bit blocks.

  3. Initialize hash values: The SHA-256 algorithm uses eight 32-bit words, denoted by h0 through h7, as the initial hash values. These values are derived from the first 32 bits of the fractional parts of the square roots of the first 8 prime numbers.

  4. Process each block: Each 512-bit block of the padded message is processed using a series of 64 rounds.

  5. Divide each block into 16 32-bit words: Each 512-bit block is divided into 16 32-bit words, denoted by w0 through w15.

  6. Expand message schedule: The message schedule is derived from the 16 32-bit words using a series of 48 additional words.

  7. Initialize working variables: The working variables are denoted by a through h, and are initialized to the hash values from the previous block.

  8. Round processing: Each round of processing involves a series of logical and arithmetic operations using the message schedule and the working variables.

  9. Compute intermediate hash value: After all 64 rounds have been processed, the intermediate hash value is computed by adding the working variables to the hash values from the previous block.

  10. Repeat until all blocks have been processed: Steps 4-9 are repeated for each 512-bit block of the padded message.

  11. Output: The final 256-bit hash value is the concatenation of the eight 32-bit hash values from the previous step, in the order h0, h1, h2, h3, h4, h5, h6, h7.

This process produces a fixed-length, deterministic output for any given input message. Thek output is also considered to be pseudorandom, meaning that it appears to be random to any observer who does not know the input message. The strength of the hash function is based on the difficulty of finding a different input message that produces the same hash value, known as a collision.

106> how can this algortihm be broken?

As of now, there is no known practical attack against the full SHA-256 algorithm that can break its security properties. However, like any cryptographic algorithm, it is always possible that a vulnerability may be discovered in the future. It is therefore important to continue to monitor and test the algorithm for potential weaknesses and to update the system accordingly if any are discovered.

107> are there any theoretical attacks?

As far as I am aware, there are no known theoretical attacks against the full SHA-256 algorithm. However, there may be attacks against reduced-round versions or specific implementation details. It's worth noting that many cryptographic algorithms have been broken over time as new attacks are discovered or computing power increases, so it's important to stay vigilant and keep algorithms up to date withk the latest security measures.

108> what would happen in the case of an attack discovery?

If a vulnerability or attack is discovered in SHA-256, it could have serious implications for the Bitcoin system, as SHA-256 is a critical component of the system's security. If attackers are able to exploit a vulnerability in SHA-256, they could potentially manipulate the hash function in a way that allows them to create fake transactions or alter the transaction history. This could lead to double-spending attacks, theft of funds, and other security breaches.

In the event that a vulnerability is discovered, it would be important for the Bitcoin community to come together and develop a plan to address the issue. This could involve updating the Bitcoin protocol to use a different hashing algorithm, or implementing additional security measures to mitigate the risk of exploitation. It's worth noting, however, that the likelihood of a successful attack on SHA-256 is currently considered to be extremely low. The algorithm has been extensively studied and tested, and is widely regarded as one of the most secure hash functions available.

109> okay good. what else do you think we should know about it?

One interesting property of SHA-256 is that it is a member of the SHA-2 family of hash functions, which includes other variants such as SHA-512, SHA-384, and SHA-224. These variants differ in the length of their output, the number of rounds used in their compression function, and the size of their message block. However, they all share the same basic structure and use the same underlying building blocks, making them related in a mathematical sense.

Another important use of SHA-256 is in the concept of proof-of-work (PoW) used in the Bitcoin protocol. PoW is a mechanism used to deter denial-of-service attacks and spam on a network by requiring a certain amount of computational effort to be expended in order to participate in the network. In the case of Bitcoin, PoW involves finding a solution to a cryptographic puzzle involving the SHA-256 hash function. This process, known as mining, involves repeatedly hashing block header data with different nonces until a valid solution is found that meets certain difficulty criteria. The use of SHA-256 in this context has led to the development of specialized hardware, such as ASICs, that are designed specifically for performing SHA-256 computations efficiently.

110> so, sha-256 can be implemented directly on hardware -- could you show me how this is achieved?

Yes, SHA-256 can be implemented directly in hardware using digital logic circuits. These circuits are often implemented using Field-Programmable Gate Arrays (FPGAs) or Application-Specific Integrated Circuits (ASICs) to achieve high performance and efficiency.

To implement SHA-256 in hardware, we can break down the algorithm into several steps, each of which can be implemented using a combination of logic gates such as AND, OR, and XOR gates.

The first step is to initialize the hash state with the initial hash values. These values are constants defined in the SHA-256 standard, and can be loaded into registers or memory elements within the hardware circuit.

The second step is to process the input message in blocks of 512 bits. Each block is then split into 16 32-bit words, which are processed in subsequent rounds to update the hash state. These rounds consist of a series of logical operations, including bitwise rotations, bitwise XORs and ANDs, and modular additions.

The final step is to output the resulting hash value, which is the concatenation of the final values of the hash state.

To implement SHA-256 efficiently in hardware, various techniques can be used to optimize the logic design, such as pipelining and parallel processing. For example, a pipelined SHA-256 circuit can process multiple message blocks in parallel, while a parallel circuit can process multiple bits of each message block in parallel.

Overall, implementing SHA-256 in hardware can provide high-performance and low-power implementations suitable for use in resource-constrained environments such as embedded systems or internet-of-things (IoT) devices.

111> could you show me how to do this in system verilog?

Certainly! Here is an example implementation of SHA-256 in SystemVerilog:

module sha256(input logic [511:0] data,
              output logic [255:0] hash);

  // Constants
  const logic [31:0][7:0] K = '{32'h428a2f98, 32'h71374491, 32'hb5c0fbcf, 32'he9b5dba5,
                                 32'h3956c25b, 32'h59f111f1, 32'h923f82a4, 32'hab1c5ed5,
                                 32'hd807aa98, 32'h12835b01, 32'h243185be, 32'h550c7dc3,
                                 32'h72be5d74, 32'h80deb1fe, 32'he699c7e2, 32'hf0fead54,
                                 32'hc19bf174, 32'he49b69c1, 32'hefbe4786, 32'h0fc19dc6,
                                 32'h240ca1cc, 32'h2de92c6f, 32'h4a7484aa, 32'h5cb0a9dc,
                                 32'h76f988da, 32'h983e5152, 32'ha831c66d, 32'hb00327c8,
                                 32'hbf597fc7, 32'hc6e00bf3, 32'hd5a79147, 32'h06ca6351,
                                 32'h14292967, 32'h27b70a85, 32'h2e1b2138, 32'h4d2c6dfc,
                                 32'h53380d13, 32'h650a7354, 32'h766a0abb, 32'h81c2c92e,
                                 32'h92722c85, 32'ha2bfe8a1, 32'ha81a664b, 32'hc24b8b70,
                                 32'hc76c51a3, 32'hd192e819, 32'hd6990624, 32'hf40e3585,
                                 32'h106aa070, 32'h19a4c116, 32'h1e376c08, 32'h2748774c,
                                 32'h34b0bcb5, 32'h391c0cb3, 32'h4ed8aa4a, 32'h5b9cca4f,
                                 32'h682e6ff3, 32'h748f82ee, 32'h78a5636f, 32'h84c87814,
                                 32'h8cc70208, 32'h90befffa, 32'ha4506ceb, 32'hbef9a3f7,
                                 32'hc67178f2};

  // Initial hash values
  logic [31:0][7:0] H = '{32'h6a09e667, 32'hbb67ae85, 32'h3c6ef372, 32'ha54ff53a,
                          32'h510e527f, 32'h9b05688c, 32'h1f83d9ab, 32'h5be0cd19};

  // Pre-processing
  logic [511:0] padded_data;
  logic [31:0] len

112> thanks -- keep going, you were in the pre-processing step

Sure! After the message has been padded, it is divided into blocks of 512 bits each. Each block is then processed in sequence by applying a compression function to it. The compression function takes the current state of the hash function and the input block as inputs and produces an updated hash value.

The compression function consists of a series of rounds that each perform a set of operations on the state and input block. The number of rounds is determined by the specific variant of the SHA-256 algorithm being used.

During each round, the compression function performs the following operations:

  1. Divide the input block into 16 32-bit words.

  2. Expand the 16 32-bit words into 64 32-bit words using a "message schedule" function.

  3. Initialize working variables with the current state of the hash function.

  4. Perform a series of operations involving the working variables, the message schedule, and constants unique to the current round.

  5. Update the state of the hash function with the working variables.

After all blocks have been processed, the final hash value is obtained by concatenating the values of the state variables. The resulting hash value is a 256-bit digest of the input message.

113> you were writing some system verilog to do this -- how much code is the full sha256 module?

The full implementation of the SHA-256 algorithm in SystemVerilog can be quite lengthy, depending on the level of optimization and the specific hardware implementation. It could range from a few hundred lines of code to several thousand lines. The design would typically include multiple stages of pipelining and parallel processing to maximize performance. Additionally, the hardware design would need to include support for input message buffering and control, output registers for the hash value, and various configuration options for the algorithm parameters. Overall, it would be a complex design, but it would provide high throughput and low latency for SHA-256 computations.

114> yeah, let's save the details. if anybody reading this is curious, i am sure gpt will be able to illuminate it for you. what are some techniques to making this algorithm fast and low power while remaining secure?

There are several techniques that can be used to make SHA-256 faster and lower power while maintaining security:

  1. Parallelization: One way to speed up SHA-256 is to process multiple blocks in parallel. This can be done using SIMD instructions, such as those provided by SSE or AVX. By processing multiple blocks in parallel, the throughput of the hash function can be increased.

  2. Pipelining: Another way to speed up SHA-256 is to pipeline the hash function. This means that multiple blocks are being processed at the same time, but at different stages of the algorithm. This can be done by breaking the algorithm into multiple stages, and having each stage process a different block.

  3. Hardware acceleration: SHA-256 can be implemented in hardware to achieve high performance and low power consumption. Dedicated hardware can be designed to perform the SHA-256 algorithm, and this hardware can be optimized for performance and power consumption.

  4. Algorithmic optimizations: There are several algorithmic optimizations that can be used to speed up SHA-256. For example, the message schedule can be precomputed to reduce the number of operations required during the main algorithm loop. Other optimizations include using different compression functions or changing the order of operations.

  5. Memory optimization: SHA-256 requires a large amount of memory to store intermediate values during the hash computation. To reduce the memory requirements, techniques such as block reordering or block chaining can be used.

  6. Implementation optimization: Finally, the implementation of SHA-256 can be optimized for a particular hardware platform to achieve maximum performance and low power consumption. This can involve using specific instructions, or optimizing the code for the particular hardware architecture.

115> great. what else should we know about it?

Some additional things to note about SHA-256:

  • It's widely used in many applications beyond Bitcoin, including TLS/SSL, SSH, and file integrity checking.

  • There are variants of SHA-256, such as SHA-224, SHA-384, and SHA-512/256, that use the same basic algorithm but produce digests of different sizes.

  • SHA-256 is a one-way hash function, meaning it's computationally infeasible to derive the original input message from the hash digest.

  • While SHA-256 is considered secure for now, it's always possible that new attacks could be discovered in the future. As a result, it's important to stay up to date on any developments in cryptographic research and to be prepared to transition to more secure algorithms if necessary.

Dependencies

~88MB
~833K SLoC