FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION
CATEGORY: COMPUTER SECURITY
SUBCATEGORY: CRYPTOGRAPHY
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8900
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.FIPS.180-4
August 2015
U.S. Department of Commerce
Penny Pritzker, Secretary
National Institute of Standards and Technology
Willie E. May, Under Secretary for Standards and Technology and
Director
The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002.
Comments concerning FIPS publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900.
Charles H. Romine, Director, Information Technology Laboratory
This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated.
Key words: computer security, cryptography, message digest, hash function, hash algorithm, Federal Information Processing Standards, Secure Hash Standard.
Federal Information Processing Standards Publication 180-4
August 2015
Announcing the
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).
Name of Standard: Secure Hash Standard (SHS) (FIPS PUB 180-4).
Category of Standard: Computer Security Standard, Cryptography.
Explanation: This Standard specifies secure hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 - for computing a condensed representation of electronic data (message). When a message of any length less than 2^{64} bits (for SHA-1, SHA-224 and SHA-256) or less than 2^{128} bits (for SHA-384, SHA-512, SHA-512/224 and SHA-512/256) is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits).
The hash algorithms specified in this Standard are called secure because, for a given algorithm, it is computationally infeasible 1) to find a message that corresponds to a given message digest, or 2) to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This will result in a verification failure when the secure hash algorithm is used with a digital signature algorithm or a keyed-hash message authentication algorithm.
This Standard supersedes FIPS 180-3 [FIPS 180-3].
Approving Authority: Secretary of Commerce.
Maintenance Agency: U.S. Department of Commerce, National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL).
Applicability: This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information that is not subject to Title 10 United States Code Section 2315 (10 USC 2315) and that is not within a national security system as defined in Title 40 United States Code Section 11103(a)(1) (40 USC 11103(a)(1)). Either this Standard or Federal Information Processing Standard (FIPS) 202 must be implemented wherever a secure hash algorithm is required for Federal applications, including as a component within other cryptographic algorithms and protocols. This Standard may be adopted and used by non-Federal Government organizations.
Specifications: Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS) (affixed).
Implementations: The secure hash algorithms specified herein may be implemented in software, firmware, hardware or any combination thereof. Only algorithm implementations that are validated by NIST will be considered as complying with this standard. Information about the validation program can be obtained at http://csrc.nist.gov/groups/STM/index.html.
Implementation Schedule: Guidance regarding the testing and validation to FIPS 180-4 and its relationship to FIPS 140-2 can be found in IG 1.10 of the Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program at http://csrc.nist.gov/groups/STM/cmvp/index.html.
Patents: Implementations of the secure hash algorithms in this standard may be covered by U.S. or foreign patents.
Export Control: Certain cryptographic devices and technical data regarding them are subject to Federal export controls. Exports of cryptographic modules implementing this standard and technical data regarding them must comply with these Federal regulations and be licensed by the Bureau of Export Administration of the U.S. Department of Commerce. Information about export regulations is available at: http://www.bis.doc.gov/index.htm.
Qualifications: While it is the intent of this Standard to specify general security requirements for generating a message digest, conformance to this Standard does not assure that a particular implementation is secure. The responsible authority in each agency or department shall assure that an overall implementation provides an acceptable level of security. This Standard will be reviewed every five years in order to assess its adequacy.
Waiver Procedure: The Federal Information Security Management Act (FISMA) does not allow for waivers to a FIPS that is made mandatory by the Secretary of Commerce.
Where to Obtain Copies of the Standard: This publication is available electronically by accessing http://csrc.nist.gov/publications/. Other computer security publications are available at the same web site.
Federal Information
Processing Standards Publication 180-4
Specifications for the
Table of Contents
This Standard specifies secure hash algorithms, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256. All of the algorithms are iterative, one-way hash functions that can process a message to produce a condensed representation called a message digest. These algorithms enable the determination of a message’s integrity: any change to the message will, with a very high probability, result in a different message digest. This property is useful in the generation and verification of digital signatures and message authentication codes, and in the generation of random numbers or bits.
Each algorithm can be described in two stages: preprocessing and hash computation. Preprocessing involves padding a message, parsing the padded message into m-bit blocks, and setting initialization values to be used in the hash computation. The hash computation generates a message schedule from the padded message and uses that schedule, along with functions, constants, and word operations to iteratively generate a series of hash values. The final hash value generated by the hash computation is used to determine the message digest.
The algorithms differ most significantly in the security strengths that are provided for the data being hashed. The security strengths of these hash functions and the system as a whole when each of them is used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, can be found in [SP 800-57] and [SP 800-107].
Additionally, the algorithms differ in terms of the size of the blocks and words of data that are used during hashing or message digest sizes. Figure 1 presents the basic properties of these hash algorithms.
| Algorithm | Message Size (bits) | Block Size (bits) | Word Size (bits) | Message Digest Size (bits) |
|---|---|---|---|---|
| SHA-1 | < 2^{64} | 512 | 32 | 160 |
| SHA-224 | < 2^{64} | 512 | 32 | 224 |
| SHA-256 | < 2^{64} | 512 | 32 | 256 |
| SHA-384 | < 2^{128} | 1024 | 64 | 384 |
| SHA-512 | < 2^{128} | 1024 | 64 | 512 |
| SHA-512/224 | < 2^{128} | 1024 | 64 | 224 |
| SHA-512/256 | < 2^{128} | 1024 | 64 | 256 |
Figure 1: Secure Hash Algorithm Properties
| Bit | A binary digit having a value of 0 or 1. |
| Byte | A group of eight bits. |
| FIPS | Federal Information Processing Standard. |
| NIST | National Institute of Standards and Technology. |
| SHA | Secure Hash Algorithm. |
| SP | Special Publication. |
| Word | A group of either 32 bits (4 bytes) or 64 bits (8 bytes), depending on the secure hash algorithm. |
The following parameters are used in the secure hash algorithm specifications in this Standard.
| a, b, c, \ldots, h | Working variables that are the w-bit words used in the computation of the hash values, H^{(i)}. |
| H^{(i)} | The i^{th} hash value. H^{(0)} is the initial hash value; H^{(N)} is the final hash value and is used to determine the message digest. |
| H_j^{(i)} | The j^{th} word of the i^{th} hash value, where H_0^{(i)} is the left-most word of hash value i. |
| K_t | Constant value to be used for the iteration t of the hash computation. |
| k | Number of zeroes appended to a message during the padding step. |
| \ell | Length of the message, M, in bits. |
| m | Number of bits in a message block, M^{(i)}. |
| M | Message to be hashed. |
| M^{(i)} | Message block i, with a size of m bits. |
| M_j^{(i)} | The j^{th} word of the i^{th} message block, where M_0^{(i)} is the left-most word of message block i. |
| n | Number of bits to be rotated or shifted when a word is operated upon. |
| N | Number of blocks in the padded message. |
| T | Temporary w-bit word used in the hash computation. |
| w | Number of bits in a word. |
| W_t | The t^{th} w-bit word of the message schedule. |
The following symbols are used in the secure hash algorithm specifications; each operates on w-bit words.
| \wedge | Bitwise AND operation. |
| \vee | Bitwise OR (“inclusive-OR”) operation. |
| \oplus | Bitwise XOR (“exclusive-OR”) operation. |
| \neg | Bitwise complement operation. |
| + | Addition modulo 2^w. |
| << | Left-shift operation, where x << n is obtained by discarding the left-most n bits of the word x and then padding the result with n zeroes on the right. |
| >> | Right-shift operation, where x >> n is obtained by discarding the right-most n bits of the word x and then padding the result with n zeroes on the left. |
The following operations are used in the secure hash algorithm specifications:
| ROTL^n(x) | The rotate left (circular left shift) operation, where x is a w-bit word and n is an integer with 0 \leq n < w, is defined by ROTL^n(x) = (x << n) \vee (x >> w - n). |
| ROTR^n(x) | The rotate right (circular right shift) operation, where x is a w-bit word and n is an integer with 0 \leq n < w, is defined by ROTR^n(x) = (x >> n) \vee (x << w - n). |
| SHR^n(x) | The right shift operation, where x is a w-bit word and n is an integer with 0 \leq n < w, is defined by SHR^n(x) = x >> n. |
The following terminology related to bit strings and integers will be used.
A hex digit is an element of the set {0, 1, …, 9, a, …, f}. A hex digit is the representation of a 4-bit string. For example, the hex digit “7” represents the 4-bit string “0111”, and the hex digit “a” represents the 4-bit string “1010”.
A word is a w-bit string that may be represented as a sequence of hex digits. To convert a word to hex digits, each 4-bit string is converted to its hex digit equivalent, as described in (1) above. For example, the 32-bit string
1010 0001 0000 0011 1111 1110 0010 0011can be expressed as “a103fe23”, and the 64-bit
string
1010 0001 0000 0011 1111 1110 0010 0011
0011 0010 1110 1111 0011 0000 0001 1010can be expressed as “a103fe2332ef301a”.
Throughout this specification, the “big-endian” convention is used when expressing both 32- and 64-bit words, so that within each word, the most significant bit is stored in the left-most bit position.
An integer may be represented as a word or pair of words. A word representation of the message length, \ell, in bits, is required for the padding techniques of Sec. 5.1.
An integer between 0 and 2^{32}-1
inclusive may be represented as a 32-bit word. The least significant
four bits of the integer are represented by the right-most hex digit of
the word representation. For example, the integer 291 = 2^8 + 2^5 + 2^1 + 2^0 = 256+32+2+1 is
represented by the hex word “00000123”.
The same holds true for an integer between 0 and 2^{64}-1 inclusive, which may be represented as a 64-bit word.
If Z is an integer, 0 \leq Z < 2^{64}, then Z = 2^{32}X + Y, where 0 \leq X < 2^{32} and 0 \leq Y < 2^{32}. Since X and Y can be represented as 32-bit words x and y, respectively, the integer Z can be represented as the pair of words (x, y). This property is used for SHA-1, SHA-224 and SHA-256.
If Z is an integer, 0 \leq Z < 2^{128}, then Z = 2^{64}X + Y, where 0 \leq X < 2^{64} and 0 \leq Y < 2^{64}. Since X and Y can be represented as 64-bit words x and y, respectively, the integer Z can be represented as the pair of words (x, y). This property is used for SHA-384, SHA-512, SHA-512/224 and SHA-512/256.
For the secure hash algorithms, the size of the message block - m bits - depends on the algorithm.
For SHA-1, SHA-224 and SHA-256, each message block has 512 bits, which are represented as a sequence of sixteen 32-bit words.
For SHA-384, SHA-512, SHA-512/224 and SHA-512/256 each message block has 1024 bits, which are represented as a sequence of sixteen 64-bit words.
The following operations are applied to w-bit words in all five secure hash algorithms. SHA-1, SHA-224 and SHA-256 operate on 32-bit words (w=32), and SHA-384, SHA-512, SHA-512/224 and SHA-512/256 operate on 64-bit words (w=64).
Bitwise logical word operations: \wedge, \vee, \oplus, and \neg (see Sec. 2.2.2).
Addition modulo 2^w.
The operation x + y is defined as follows. The words x and y represent integers X and Y, where 0 \leq X < 2^w and 0 \leq Y < 2^w. For positive integers U and V, let U \bmod V be the remainder upon dividing U by V. Compute
Z = (X + Y) \bmod 2^w.
Then 0 \leq Z < 2^w. Convert the integer Z to a word, z, and define z = x + y.
The right shift operation SHR n x, where
x is a w-bit word and n is an integer with 0 \leq n < w, is defined by
def SHR (n : Nat) (x : Word w) : Word w := x >> nThis operation is used in the SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 algorithms.
ROTR n x, where x is a
w-bit word and n is an integer
with 0 \leq n < w, is defined
bydef ROTR (n : Nat) (x : Word w) : Word w := (x >> n) ∨ (x << (w - n))Thus, ROTR n x is equivalent to a circular shift
(rotation) of x by n positions to the right.
This operation is used by the SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 algorithms.
ROTL n x, where x is a
w-bit word and n is an integer
with 0 \leq n < w, is defined
bydef ROTL (n : Nat) (x : Word w) : Word w := (x << n) ∨ (x >> (w - n))Thus, ROTL n x is equivalent to a circular shift
(rotation) of x by n positions to the left.
This operation is used only in the SHA-1 algorithm.
theorem ROTL_eq_ROTR {w n m : Nat} (hn : n < w) (hm : m < w) (heq : n + m = w)
(x : BitVec w) : ROTL n x = ROTR m xtheorem ROTR_eq_ROTL {w n m : Nat} (hn : n < w) (hm : m < w) (heq : n + m = w)
(x : BitVec w) : ROTR n x = ROTL m xThis section defines the functions that are used by each of the algorithms. Although the SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 algorithms all use similar functions, their descriptions are separated into sections for SHA-224 and SHA-256 (Sec. 4.1.2) and for SHA-384, SHA-512, SHA-512/224 and SHA-512/256 (Sec. 4.1.3), since the input and output for these functions are words of different sizes. Each of the algorithms include Ch(x, y, z) and Maj(x, y, z) functions; the exclusive-OR operation (\oplus) in these functions may be replaced by a bitwise OR operation (\vee) and produce identical results.
SHA-1 uses a sequence of logical functions, f_0, f_1, \ldots, f_{79}. Each function f_t, where 0 \leq t \leq 79, operates on three 32-bit words, x, y, and z, and produces a 32-bit word as output. The function f_t(x, y, z) is defined as follows:
def f (t : Nat) (x y z : Word) : Word :=
if t ≤ 19 then /- Ch(x, y, z) -/ (x ∧ y) ⊕ (¬x ∧ z)
else if t ≤ 39 then /- Parity(x, y, z) -/ x ⊕ y ⊕ z
else if t ≤ 59 then /- Maj(x, y, z) -/ (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z)
else /- Parity(x, y, z) -/ x ⊕ y ⊕ zSHA-224 and SHA-256 both use six logical functions, where each function operates on 32-bit words, which are represented as x, y, and z. The result of each function is a new 32-bit word.
def Ch (x y z : Word) : Word := (x ∧ y) ⊕ (¬x ∧ z)def Maj (x y z : Word) : Word := (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z)def bigSigma0 (x : Word) : Word := ROTR 2 x ⊕ ROTR 13 x ⊕ ROTR 22 xdef bigSigma1 (x : Word) : Word := ROTR 6 x ⊕ ROTR 11 x ⊕ ROTR 25 xdef smallSigma0 (x : Word) : Word := ROTR 7 x ⊕ ROTR 18 x ⊕ SHR 3 xdef smallSigma1 (x : Word) : Word := ROTR 17 x ⊕ ROTR 19 x ⊕ SHR 10 xSHA-384, SHA-512, SHA-512/224 and SHA-512/256 use six logical functions, where each function operates on 64-bit words, which are represented as x, y, and z. The result of each function is a new 64-bit word.
def Ch (x y z : Word) : Word := (x ∧ y) ⊕ (¬x ∧ z)def Maj (x y z : Word) : Word := (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z)def bigSigma0 (x : Word) : Word := ROTR 28 x ⊕ ROTR 34 x ⊕ ROTR 39 xdef bigSigma1 (x : Word) : Word := ROTR 14 x ⊕ ROTR 18 x ⊕ ROTR 41 xdef smallSigma0 (x : Word) : Word := ROTR 1 x ⊕ ROTR 8 x ⊕ SHR 7 xdef smallSigma1 (x : Word) : Word := ROTR 19 x ⊕ ROTR 61 x ⊕ SHR 6 xSHA-1 uses a sequence of eighty constant 32-bit words, K_0, K_1, \ldots, K_{79}, which are given by
def K (t : Nat) : Word :=
if t ≤ 19 then 0x5a827999
else if t ≤ 39 then 0x6ed9eba1
else if t ≤ 59 then 0x8f1bbcdc
else 0xca62c1d6SHA-224 and SHA-256 use the same sequence of sixty-four constant 32-bit words, K_0^{\{256\}}, K_1^{\{256\}}, \ldots, K_{63}^{\{256\}}. These words represent the first thirty-two bits of the fractional parts of the cube roots of the first sixty-four prime numbers. In hex, these constant words are (from left to right)
def K : Schedule := #[
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
]SHA-384, SHA-512, SHA-512/224 and SHA-512/256 use the same sequence of eighty constant 64-bit words, K_0^{\{512\}}, K_1^{\{512\}}, \ldots, K_{79}^{\{512\}}. These words represent the first sixty-four bits of the fractional parts of the cube roots of the first eighty prime numbers. In hex, these constant words are (from left to right)
def K : Schedule := #[
0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc,
0x3956c25bf348b538, 0x59f111f1b605d019, 0x923f82a4af194f9b, 0xab1c5ed5da6d8118,
0xd807aa98a3030242, 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 0xc19bf174cf692694,
0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
0x2de92c6f592b0275, 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, 0xbf597fc7beef0ee4,
0xc6e00bf33da88fc2, 0xd5a79147930aa725, 0x06ca6351e003826f, 0x142929670a0e6e70,
0x27b70a8546d22ffc, 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 0x92722c851482353b,
0xa2bfe8a14cf10364, 0xa81a664bbc423001, 0xc24b8b70d0f89791, 0xc76c51a30654be30,
0xd192e819d6ef5218, 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8,
0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3,
0x748f82ee5defb2fc, 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 0xc67178f2e372532b,
0xca273eceea26619c, 0xd186b8c721c0c207, 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178,
0x06f067aa72176fba, 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c,
0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
]Preprocessing consists of three steps: padding the message, M (Sec. 5.1), parsing the message into message blocks (Sec. 5.2), and setting the initial hash value, H^{(0)} (Sec. 5.3).
The purpose of this padding is to ensure that the padded message is a multiple of 512 or 1024 bits, depending on the algorithm. Padding can be inserted before hash computation begins on a message, or at any other time during the hash computation prior to processing the block(s) that will contain the padding.
Suppose that the length of the message, M, is \ell bits. Append the bit “1” to the end of the message, followed by k zero bits, where k is the smallest, non-negative solution to the equation \ell + 1 + k \equiv 448 \mod 512. Then append the 64-bit block that is equal to the number \ell expressed using a binary representation. For example, the (8-bit ASCII) message “abc” has length 8 \times 3 = 24, so the message is padded with a one bit, then 448 - (24 + 1) = 423 zero bits, and then the message length, to become the 512-bit padded message
423 64
┌─┴─┐ ┌───┴───┐
01100001 01100010 01100011 1 00…00 00…011000
└───┬──┘ └───┬──┘ └───┬──┘ └──┬─┘
"a" "b" "c" l = 24The length of the padded message should now be a multiple of 512 bits.
def pad (M : Message) : Message :=
-- Length of the message M is ℓ bits.
let ℓ := M.length
-- k is the smallest non-negative solution to ℓ + 1 + k ≡ 448 (mod 512).
let k := min { k < 512 | ℓ + 1 + k ≡ 448 [MOD 512] }
-- Append "1", k zero bits, and the 64-bit binary representation of ℓ.
M ++ [true] ++ List.replicate k false ++ (List.range 64).reverse.map ℓ.testBitSuppose the length of the message M, in bits, is \ell bits. Append the bit “1” to the end of the message, followed by k zero bits, where k is the smallest non-negative solution to the equation \ell + 1 + k \equiv 896 \mod 1024. Then append the 128-bit block that is equal to the number \ell expressed using a binary representation. For example, the (8-bit ASCII) message “abc” has length 8 \times 3 = 24, so the message is padded with a one bit, then 896 - (24 + 1) = 871 zero bits, and then the message length, to become the 1024-bit padded message
871 128
┌─┴─┐ ┌───┴───┐
01100001 01100010 01100011 1 00…00 00…011000
└───┬──┘ └───┬──┘ └───┬──┘ └──┬─┘
"a" "b" "c" l = 24The length of the padded message should now be a multiple of 1024 bits.
def pad (M : Message) : Message :=
-- Length of the message M is ℓ bits.
let ℓ := M.length
-- k is the smallest non-negative solution to ℓ + 1 + k ≡ 896 (mod 1024).
let k := min { k < 1024 | ℓ + 1 + k ≡ 896 [MOD 1024] }
-- Append "1", k zero bits, and the 128-bit binary representation of ℓ.
M ++ [true] ++ List.replicate k false ++ (List.range 128).reverse.map ℓ.testBitThe message and its padding must be parsed into N m-bit blocks.
For SHA-1, SHA-224 and SHA-256, the message and its padding are parsed into N 512-bit blocks, M^{(1)}, M^{(2)}, \ldots, M^{(N)}. Since the 512 bits of the input block may be expressed as sixteen 32-bit words, the first 32 bits of message block i are denoted M_0^{(i)}, the next 32 bits are M_1^{(i)}, and so on up to M_{15}^{(i)}.
def parse (M : Message) : Array Block :=
-- Split into 512-bit blocks, then split each block into sixteen 32-bit words.
M.toChunks 512 |>.toArray |>.map fun b =>
b.toChunks 32 |>.map Word.fromBits |>.toArrayFor SHA-384, SHA-512, SHA-512/224 and SHA-512/256, the message and its padding are parsed into N 1024-bit blocks, M^{(1)}, M^{(2)}, \ldots, M^{(N)}. Since the 1024 bits of the input block may be expressed as sixteen 64-bit words, the first 64 bits of message block i are denoted M_0^{(i)}, the next 64 bits are M_1^{(i)}, and so on up to M_{15}^{(i)}.
def parse (M : Message) : Array Block :=
-- Split into 1024-bit blocks, then split each block into sixteen 64-bit words.
M.toChunks 1024 |>.toArray |>.map fun b =>
b.toChunks 64 |>.map Word.fromBits |>.toArrayBefore hash computation begins for each of the secure hash algorithms, the initial hash value, H^{(0)}, must be set. The size and number of words in H^{(0)} depends on the message digest size.
For SHA-1, the initial hash value, H^{(0)}, shall consist of the following five 32-bit words, in hex:
def H0 : HashValue := #[
0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0
]For SHA-224, the initial hash value, H^{(0)}, shall consist of the following eight 32-bit words, in hex:
def H0_224 : HashValue := #[
0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4
]For SHA-256, the initial hash value, H^{(0)}, shall consist of the following eight 32-bit words, in hex:
def H0_256 : HashValue := #[
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
]These words were obtained by taking the first thirty-two bits of the fractional parts of the square roots of the first eight prime numbers.
For SHA-384, the initial hash value, H^{(0)}, shall consist of the following eight 64-bit words, in hex:
def H0_384 : HashValue := #[
0xcbbb9d5dc1059ed8, 0x629a292a367cd507, 0x9159015a3070dd17, 0x152fecd8f70e5939,
0x67332667ffc00b31, 0x8eb44a8768581511, 0xdb0c2e0d64f98fa7, 0x47b5481dbefa4fa4
]These words were obtained by taking the first sixty-four bits of the fractional parts of the square roots of the ninth through sixteenth prime numbers.
For SHA-512, the initial hash value, H^{(0)}, shall consist of the following eight 64-bit words, in hex:
def H0_512 : HashValue := #[
0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1,
0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179
]These words were obtained by taking the first sixty-four bits of the fractional parts of the square roots of the first eight prime numbers.
“SHA-512/t” is the general name for a t-bit hash function based on SHA-512 whose output is truncated to t bits. Each hash function requires a distinct initial hash value. This section provides a procedure for determining the initial value for SHA-512/t for a given value of t.
For SHA-512/t, t is any positive integer without a leading
zero such that t < 512, and t is not 384. For example: t is 256, but not 0256, and “SHA-512/t” is “SHA-512/256” (an 11 character long
ASCII string), which is equivalent to
53 48 41 2D 35 31 32 2F 32 35 36 in hexadecimal.
The initial hash value H^{(0)} for SHA-512/t is generated as follows: each word of the SHA-512 IV (§5.3.5) is XOR-ed with \texttt{a5a5a5a5a5a5a5a5} to obtain a temporary IV H^{(0)\prime\prime}, and H^{(0)} is then SHA-512(“SHA-512/t”) using H^{(0)\prime\prime} as the IV.
def H0_t (t : {t : Nat // 0 < t ∧ t < 512 ∧ t ≠ 384}) : HashValue :=
-- Build H'' by XOR-ing each word of the SHA-512 IV with 0xa5a5a5a5a5a5a5a5.
let H'' := H0_512.map (· ⊕ (0xa5a5a5a5a5a5a5a5 : Word))
-- Run SHA-512 on the ASCII string "SHA-512/t" using H'' as the initial IV.
let M := Message.fromString s!"SHA-512/{t}"
let blocks := parse (pad M)
blocks.foldl compress H''SHA-512/224 (t = 224) and SHA-512/256 (t = 256) are approved hash algorithms. Other SHA-512/t hash algorithms with different t values may be specified in [SP 800-107] in the future as the need arises. Below are the IVs for SHA-512/224 and SHA-512/256.
For SHA-512/224, the initial hash value, H^{(0)}, shall consist of the following eight 64-bit words, in hex:
def H0_512_224 : HashValue := #[
0x8C3D37C819544DA2, 0x73E1996689DCD4D6, 0x1DFAB7AE32FF9C82, 0x679DD514582F9FCF,
0x0F6D2B697BD44DA8, 0x77E36F7304C48942, 0x3F9D85A86A1D36C8, 0x1112E6AD91D692A1
]These words were obtained by executing the SHA-512/t IV Generation Function with t = 224.
theorem H0_512_224_correct : H0_t 224 = H0_512_224For SHA-512/256, the initial hash value, H^{(0)}, shall consist of the following eight 64-bit words, in hex:
def H0_512_256 : HashValue := #[
0x22312194FC2BF72C, 0x9F555FA3C84C64C2, 0x2393B86B6F53B151, 0x963877195940EABD,
0x96283EE2A88EFFE3, 0xBE5E1E2553863992, 0x2B0199FC2C85B8AA, 0x0EB72DDC81C52CA2
]These words were obtained by executing the SHA-512/t IV Generation Function with t = 256.
theorem H0_512_256_correct : H0_t 256 = H0_512_256In the following sections, the hash algorithms are not described in ascending order of size. SHA-256 is described before SHA-224 because the specification for SHA-224 is identical to SHA-256, except that different initial hash values are used, and the final hash value is truncated to 224 bits for SHA-224. The same is true for SHA-512, SHA-384, SHA-512/224 and SHA-512/256, except that the final hash value is truncated to 224 bits for SHA-512/224, 256 bits for SHA-512/256 or 384 bits for SHA-384.
For each of the secure hash algorithms, there may exist alternate computation methods that yield identical results; one example is the alternative SHA-1 computation described in Sec. 6.1.3. Such alternate methods may be implemented in conformance to this standard.
SHA-1 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{64}. The algorithm uses 1) a message schedule of eighty 32-bit words, 2) five working variables of 32 bits each, and 3) a hash value of five 32-bit words. The final result of SHA-1 is a 160-bit message digest.
The words of the message schedule are labeled W_0, W_1, \ldots, W_{79}. The five working variables are labeled a, b, c, d, and e. The words of the hash value are labeled H_0^{(i)}, H_1^{(i)}, \ldots, H_4^{(i)}, which will hold the initial hash value, H^{(0)}, replaced by each successive intermediate hash value (after each message block is processed), H^{(i)}, and ending with the final hash value, H^{(N)}. SHA-1 also uses a single temporary word, T.
The SHA-1 hash computation uses functions and constants previously defined in Sec. 4.1.1 and Sec. 4.2.1, respectively. Addition (+) is performed modulo 2^{32}.
Each message block, M^{(1)}, M^{(2)}, \ldots, M^{(N)}, is processed in order, using the following steps:
def schedule (M : Block) : Schedule := Id.run do
let mut W : Schedule := Array.replicate 80 default
-- For 0 ≤ t ≤ 15: W_t = M_t^(i)
for t in [0:16] do
W := W.set! t M[t]!
-- For 16 ≤ t ≤ 79: W_t = ROTL^1(W_{t-3} ⊕ W_{t-8} ⊕ W_{t-14} ⊕ W_{t-16})
for t in [16:80] do
W := W.set! t (ROTL 1 (W[t-3]! ⊕ W[t-8]! ⊕ W[t-14]! ⊕ W[t-16]!))
return Wdef compress (H : HashValue) (M : Block) : HashValue := Id.run do
-- Step 1. Prepare the message schedule {W_t}
let W := schedule M
-- Step 2. Initialize the five working variables a, b, c, d, e with H^(i-1)
let mut a := H[0]!
let mut b := H[1]!
let mut c := H[2]!
let mut d := H[3]!
let mut e := H[4]!
-- Step 3. For t = 0 to 79
for t in [0:80] do
let T := ROTL 5 a + f t b c d + e + K t + W[t]!
e := d
d := c
c := ROTL 30 b
b := a
a := T
-- Step 4. Compute the i-th intermediate hash value H^(i)
return #[a + H[0]!, b + H[1]!, c + H[2]!, d + H[3]!, e + H[4]!]After repeating steps one through four a total of N times (i.e., after processing M^{(N)}), the resulting 160-bit message digest of the message, M, is
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)}
def sha1 (M : Message) (_h : M.length < 2 ^ 64) : Digest 160 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]!The SHA-1 hash computation method described in Sec. 6.1.2 assumes that the message schedule W_0, W_1, \ldots, W_{79} is implemented as an array of eighty 32-bit words. This is efficient from the standpoint of the minimization of execution time, since the addresses of W_{t-3}, \ldots, W_{t-16} in step (2) of Sec. 6.1.2 are easily computed.
However, if memory is limited, an alternative is to regard \{W_t\} as a circular queue that may be implemented using an array of sixteen 32-bit words, W_0, W_1, \ldots, W_{15}. The alternate method that is described in this section yields the same message digest as the SHA-1 computation method described in Sec. 6.1.2. Although this alternate method saves sixty-four 32-bit words of storage, it is likely to lengthen the execution time due to the increased complexity of the address computations for the \{W_t\} in step (3).
For this alternate SHA-1 method, let MASK = \texttt{0000000f} (in hex). As in Sec. 6.1.1, addition is performed modulo 2^{32}. Assuming that the preprocessing as described in Sec. 6.1.1 has been performed, the processing of M^{(i)} is as follows:
def compress_alt (H : HashValue) (M : Block) : HashValue := Id.run do
-- Step 1. For t = 0 to 15: W_t = M_t^(i)
let mut W : Schedule := M
-- Step 2. Initialize the five working variables a, b, c, d, e with H^(i-1)
let mut a := H[0]!
let mut b := H[1]!
let mut c := H[2]!
let mut d := H[3]!
let mut e := H[4]!
-- Step 3. For t = 0 to 79
for t in [0:80] do
let s := t % 16 -- s = t ∧ MASK, where MASK = 0x0000000f
if t ≥ 16 then
W := W.set! s
(ROTL 1 (W[(s+13) % 16]! ⊕ W[(s+8) % 16]! ⊕ W[(s+2) % 16]! ⊕ W[s]!))
let T := ROTL 5 a + f t b c d + e + K t + W[s]!
e := d
d := c
c := ROTL 30 b
b := a
a := T
-- Step 4. Compute the i-th intermediate hash value H^(i)
return #[a + H[0]!, b + H[1]!, c + H[2]!, d + H[3]!, e + H[4]!]After repeating steps one through four a total of N times (i.e., after processing M^{(N)}), the resulting 160-bit message digest of the message, M, is
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)}
def sha1_alt (M : Message) (_h : M.length < 2 ^ 64) : Digest 160 :=
let blocks := parse (pad M)
let H := blocks.foldl compress_alt H0
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]!/-- The standard and alternative SHA-1 methods yield the same message digest. -/
theorem sha1_alt_eq_sha1 (M : Message) (h : M.length < 2 ^ 64) :
sha1_alt M h = sha1 M hSHA-256 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{64}. The algorithm uses 1) a message schedule of sixty-four 32-bit words, 2) eight working variables of 32 bits each, and 3) a hash value of eight 32-bit words. The final result of SHA-256 is a 256-bit message digest.
The words of the message schedule are labeled W_0, W_1, \ldots, W_{63}. The eight working variables are labeled a, b, c, d, e, f, g, and h. The words of the hash value are labeled H_0^{(i)}, H_1^{(i)}, \ldots, H_7^{(i)}, which will hold the initial hash value, H^{(0)}, replaced by each successive intermediate hash value (after each message block is processed), H^{(i)}, and ending with the final hash value, H^{(N)}. SHA-256 also uses two temporary words, T_1 and T_2.
The SHA-256 hash computation uses functions and constants previously defined in Sec. 4.1.2 and Sec. 4.2.2, respectively. Addition (+) is performed modulo 2^{32}.
Each message block, M^{(1)}, M^{(2)}, \ldots, M^{(N)}, is processed in order, using the following steps:
def schedule (M : Block) : Schedule := Id.run do
let mut W : Schedule := Array.replicate 64 default
-- For 0 ≤ t ≤ 15: W_t = M_t^(i)
for t in [0:16] do
W := W.set! t M[t]!
-- For 16 ≤ t ≤ 63: W_t = σ_1^(256)(W_{t-2}) + W_{t-7} + σ_0^(256)(W_{t-15}) + W_{t-16}
for t in [16:64] do
W := W.set! t (smallSigma1 W[t-2]! + W[t-7]! + smallSigma0 W[t-15]! + W[t-16]!)
return Wdef compress (H : HashValue) (M : Block) : HashValue := Id.run do
-- Step 1. Prepare the message schedule {W_t}
let W := schedule M
-- Step 2. Initialize the eight working variables a..h with H^(i-1)
let mut a := H[0]!
let mut b := H[1]!
let mut c := H[2]!
let mut d := H[3]!
let mut e := H[4]!
let mut f := H[5]!
let mut g := H[6]!
let mut h := H[7]!
-- Step 3. For t = 0 to 63
for t in [0:64] do
let T1 := h + bigSigma1 e + Ch e f g + K[t]! + W[t]!
let T2 := bigSigma0 a + Maj a b c
h := g
g := f
f := e
e := d + T1
d := c
c := b
b := a
a := T1 + T2
-- Step 4. Compute the i-th intermediate hash value H^(i)
return #[
a + H[0]!, b + H[1]!, c + H[2]!, d + H[3]!,
e + H[4]!, f + H[5]!, g + H[6]!, h + H[7]!
]After repeating steps one through four a total of N times (i.e., after processing M^{(N)}), the resulting 256-bit message digest of the message, M, is
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)} \| H_5^{(N)} \| H_6^{(N)} \| H_7^{(N)}
def sha256 (M : Message) (_h : M.length < 2 ^ 64) : Digest 256 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_256
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]! ++ H[5]! ++ H[6]! ++ H[7]!SHA-224 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{64}. The function is defined in the exact same manner as SHA-256 (Section 6.2), with the following two exceptions:
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)} \| H_5^{(N)} \| H_6^{(N)}
def sha224 (M : Message) (_h : M.length < 2 ^ 64) : Digest 224 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_224
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]! ++ H[5]! ++ H[6]!SHA-512 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{128}. The algorithm uses 1) a message schedule of eighty 64-bit words, 2) eight working variables of 64 bits each, and 3) a hash value of eight 64-bit words. The final result of SHA-512 is a 512-bit message digest.
The words of the message schedule are labeled W_0, W_1, \ldots, W_{79}. The eight working variables are labeled a, b, c, d, e, f, g, and h. The words of the hash value are labeled H_0^{(i)}, H_1^{(i)}, \ldots, H_7^{(i)}, which will hold the initial hash value, H^{(0)}, replaced by each successive intermediate hash value (after each message block is processed), H^{(i)}, and ending with the final hash value, H^{(N)}. SHA-512 also uses two temporary words, T_1 and T_2.
The SHA-512 hash computation uses functions and constants previously defined in Sec. 4.1.3 and Sec. 4.2.3, respectively. Addition (+) is performed modulo 2^{64}.
Each message block, M^{(1)}, M^{(2)}, \ldots, M^{(N)}, is processed in order, using the following steps:
def schedule (M : Block) : Schedule := Id.run do
let mut W : Schedule := Array.replicate 80 default
-- For 0 ≤ t ≤ 15: W_t = M_t^(i)
for t in [0:16] do
W := W.set! t M[t]!
-- For 16 ≤ t ≤ 79: W_t = σ_1^(512)(W_{t-2}) + W_{t-7} + σ_0^(512)(W_{t-15}) + W_{t-16}
for t in [16:80] do
W := W.set! t (smallSigma1 W[t-2]! + W[t-7]! + smallSigma0 W[t-15]! + W[t-16]!)
return Wdef compress (H : HashValue) (M : Block) : HashValue := Id.run do
-- Step 1. Prepare the message schedule {W_t}
let W := schedule M
-- Step 2. Initialize the eight working variables a..h with H^(i-1)
let mut a := H[0]!
let mut b := H[1]!
let mut c := H[2]!
let mut d := H[3]!
let mut e := H[4]!
let mut f := H[5]!
let mut g := H[6]!
let mut h := H[7]!
-- Step 3. For t = 0 to 79
for t in [0:80] do
let T1 := h + bigSigma1 e + Ch e f g + K[t]! + W[t]!
let T2 := bigSigma0 a + Maj a b c
h := g; g := f; f := e; e := d + T1
d := c; c := b; b := a; a := T1 + T2
-- Step 4. Compute the i-th intermediate hash value H^(i)
return #[
a + H[0]!, b + H[1]!, c + H[2]!, d + H[3]!,
e + H[4]!, f + H[5]!, g + H[6]!, h + H[7]!
]After repeating steps one through four a total of N times (i.e., after processing M^{(N)}), the resulting 512-bit message digest of the message, M, is
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)} \| H_5^{(N)} \| H_6^{(N)} \| H_7^{(N)}
def sha512 (M : Message) (_h : M.length < 2 ^ 128) : Digest 512 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_512
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]! ++ H[5]! ++ H[6]! ++ H[7]!SHA-384 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{128}. The algorithm is defined in the exact same manner as SHA-512 (Sec. 6.4), with the following two exceptions:
H_0^{(N)} \| H_1^{(N)} \| H_2^{(N)} \| H_3^{(N)} \| H_4^{(N)} \| H_5^{(N)}
def sha384 (M : Message) (_h : M.length < 2 ^ 128) : Digest 384 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_384
H[0]! ++ H[1]! ++ H[2]! ++ H[3]! ++ H[4]! ++ H[5]!SHA-512/224 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{128}. The algorithm is defined in the exact same manner as SHA-512 (Sec. 6.4), with the following two exceptions:
def sha512_224 (M : Message) (_h : M.length < 2 ^ 128) : Digest 224 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_512_224
-- truncate H^(N) to its left-most 224 bits
(H[0]! ++ H[1]! ++ H[2]! ++ H[3]!).leftmost 224SHA-512/256 may be used to hash a message, M, having a length of \ell bits, where 0 \le \ell < 2^{128}. The algorithm is defined in the exact same manner as SHA-512 (Sec. 6.4), with the following two exceptions:
def sha512_256 (M : Message) (_h : M.length < 2 ^ 128) : Digest 256 :=
let blocks := parse (pad M)
let H := blocks.foldl compress H0_512_256
H[0]! ++ H[1]! ++ H[2]! ++ H[3]!Some application may require a hash function with a message digest length different than those provided by the hash functions in this Standard. In such cases, a truncated message digest may be used, whereby a hash function with a larger message digest length is applied to the data to be hashed, and the resulting message digest is truncated by selecting an appropriate number of the leftmost bits. For guidelines on choosing the length of the truncated message digest and information about its security implications for the cryptographic application that uses it, see SP 800-107 [SP 800-107].
The security of the five hash algorithms, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 is discussed in [SP 800-107].
Examples of SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 are available at http://csrc.nist.gov/groups/ST/toolkit/examples.html.
Object identifiers (OIDs) for the SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 algorithms are posted at http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html.
In FIPS 180-3, padding was inserted before hash computation begins. FIPS 140-4 removed this restriction. Padding can be inserted before hash computation begins or at any other time during the hash computation prior to processing the message block(s) containing the padding.
FIPS 180-4 adds two additional algorithms: SHA-512/224 and SHA-512/256 to the Standard and the method for determining the initial value for SHA-512/t for a given value of t.
The following change has been incorporated into FIPS 180-4, as of the date indicated in the table.
| DATE | TYPE | CHANGE | PAGE NUMBER |
|---|---|---|---|
| 5/9/2014 | Editorial | Change “t < 79” to “t \le 79” | Page 10, Section 4.1.1, Line 1 |