“The quick brown fox jumps over the lazy dog” Secure Hash Algorithm Goal is to compute a unique hash value for any input “message”, where a “message” can be anything. SHA-1 (widely used) returns a 160-bit hash value (a.k.a. message digest or strong checksum) “The quick brown fox jumps over the lazy dog” SHA-1 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 160-bits = five 32-bit words SHA-1 some 160-bit value SHA-1 some 160-bit value file: avatar.avi file: chopin.mp3
SHA-1 Just a small change, e.g. from “dog” to “cog”, will completely change the hash value “The quick brown fox jumps over the lazy dog” SHA-1 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 “The quick brown fox jumps over the lazy cog” SHA-1 de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3
Verifying File Integrity VIRUS badFile goodFile NY Times hash(goodFile) BigFirm™ User Software manufacturer wants to ensure that the executable file is received by users without modification … Sends out the file to users and publishes its hash in NY Times The goal is integrity, not secrecy Idea: given goodFile and hash(goodFile), very hard to find badFile such that hash(goodFile)=hash(badFile)
Authentication Bob Alice SECRET SECRET msg, H(SECRET,msg) Alice Bob Alice wants to ensure that nobody modifies message in transit (both integrity and authentication) Idea: given msg, very hard to compute H(SECRET, msg) without SECRET; easy with SECRET
SHA-1 Developed by NIST, specified in the Secure Hash Standard (SHS, FIPS Pub 180), 1993 SHA-1 is specified as the hash algorithm in the Digital Signature Standard (DSS), NIST
General Logic Input message must be < 264 bits not really a problem Message is processed in 512-bit blocks sequentially Message digest is 160 bits
SHA-1 Algorithm Step 1: Padding bits A b-bit message M is padded in the following manner: Add a single “1” to the end of M Then pad message with “0’s” until the length of message is congruent to 448, modulo 512 (which means pad with 0’s until message is 64-bits less than some multiple of 512). Step 2: Appending length as 64 bit unsigned A 64-bit representation of b is appended to the result of Step 1. The resulting message is a multiple of 512 bits e.g. suppose b = 900 2 x 512 = 1024 bits M 1 … 900 900 bits 59 0’s 64 bits
SHA-1 Algorithm Step 3: Buffer initiation – initialize message digest (MD) to these five 32-bit words H0 = 67452301 H1 = efcdab89 H2 = 98badcfe H3 = 10325476 H4 = c3d2e1f0
SHA-1 Algorithm Step 4: Processing of the message (the algorithm) Divide message M into 512-bit blocks, M0, M1, … Mj, … Process each Mj sequentially, one after the other Input: Wt : a 32-bit word from the message Kt : a constant H0, H1, H2, H3, H4 : current MD Output: H0, H1, H2, H3, H4 : new MD
SHA-1 Algorithm Step 4: Cont’d At the beginning of processing each Mj, initialize (A, B, C, D, E) = (H0, H1, H2, H3, H4) Then 80-step processing of 512-bit blocks – 4 rounds, 20 steps each Each step t (0 ≤ t ≤ 79): Wt If t < 16, Wt = tth 32-bit word of Mj If t ≥ 16, Wt = (Wt-3 xor Wt-8 xor Wt-14 xor Wt-16) leftrotate 1
SHA-1 Algorithm Step 4: Cont’d Each step t (0 ≤ t ≤ 79): Kt 0 ≤ t ≤ 19, Kt = 5a827999 20 ≤ t ≤ 39, Kt = 6ed9eba1 40 ≤ t ≤ 59, Kt = 8f1bbcdc 60 ≤ t ≤ 79, Kt = ca62c1d6
SHA-1 Algorithm Step 4: Cont’d Each step t (0 ≤ t ≤ 79): Define F(X, Y, Z) as follows: 0 ≤ t ≤ 19, F(X, Y, Z) = (X and Y) xor ((not X) and Z) 20 ≤ t ≤ 39, F(X, Y, Z) = X xor Y xor Z 40 ≤ t ≤ 59, F(X, Y, Z) = (X and Y) xor (X and Z) xor (Y and Z) 60 ≤ t ≤ 79, F(X, Y, Z) = X xor Y xor Z Then compute (called the SHA-1 step function) T = (A leftrotate 5) + F(B, C, D) + Wt + Kt + E
SHA-1 Algorithm Step 4: Cont’d Each step t (0 ≤ t ≤ 79): The values of (A, B, C, D, E) are updated as follows: (A, B, C, D, E) = (T, A, B leftrotate 30, C, D)
SHA-1 Algorithm Step 4: Cont’d Finally, when all 80 steps have been processed, set H0 = H0 + A H1 = H1 + B H2 = H2 + C H3 = H3 + D H4 = H4 + E
SHA-1 Algorithm Step 5: Output When all Mj have been processed, the 160-bit hash of M is available in H0, H1, H2, H3, and H4
SHA-1 Algorithm More information can be found in the Wikipedia page https://en.wikipedia.org/wiki/SHA-1 where several alternative implementations of the F(X, Y, Z) function are shown.
SHA-1 Algorithm As shown the Wikipedia page.
SHA-1 Algorithm As shown the Wikipedia page.
(provided by testbench) Module Interface Wait in idle state for start, read message starting at message_addr and write final hash {H0, H1, H2, H3, H4} in 5 words to memory starting at output_addr. message_addr and output_addr are word addresses. size is given in number of bytes (not necessarily multiples of 4). Set done to 1 when finished. Memory (provided by testbench) sha1 mem_clk mem_addr[15:0] mem_we mem_write_data [31:0] mem_read_data[31:0] memory interface clk reset_n message_addr[31:0] size[31:0] start done output_addr[31:0]
Module Interface Write the final hash {H0, H1, H2, H3, H4} in 5 words to memory starting at output_addr as follows: mem_addr <= output_addr; mem_write_data <= H0; mem_addr <= output_addr + 1; mem_write_data <= H1; ... mem_addr <= output_addr + 4; mem_write_data <= H4; Just write out H0, H1, etc, without any further byte swapping. output_addr H0 output_addr + 1 H1 output_addr + 2 H2 output_addr + 3 H3 output_addr + 4 H4
(provided by testbench) Module Interface Your assignment is to design the yellow box: module sha1(input logic clk, reset_n, start, input logic [31:0] message_addr, size, output_addr, output logic done, mem_clk, mem_we, output logic [15:0] mem_addr, output logic [31:0] mem_write_data, input logic [31:0] mem_read_data); ... endmodule Memory (provided by testbench) sha1 mem_clk mem_addr[15:0] mem_we mem_write_data [31:0] mem_read_data[31:0] memory interface clk reset_n message_addr[31:0] size[31:0] start done output_addr[31:0]
Disable Block Memories Altera Quartus will automatically replace some registers with block memories, which are not counted in the total number of registers. If you look at the Analysis & Synthesis Summary, you will see a Total block memory bits entry. If it is non-zero, it means block memories were allocated. To provide a common basis for comparison, you should disable the use of block memories. This can be done as follows: In the analysis and synthesis settings, there is an option for auto shift register replacement. Turning that off will disable the use of block memories.
Projects 3 and 4 Project 3: Two parts Determine the number of blocks Design a hash operation block Project 4: Design the entire sha1 module
Project 3: Part 1 Calculate the number of blocks (e.g., if size = 100 bytes, then we have 2 x 512-bit blocks) module calc_num_blocks(input logic [31:0] size, output logic [15:0] num_blocks); function logic [15:0] determine_num_blocks(input logic [31:0] size); ... determine_num_blocks = ...; endfunction assign num_blocks = determine_num_blocks(size); endmodule
Project 3: Part 2 Design a hash operation block module hash_block(input logic [31:0] a, b, c, d, e, w, input logic [7:0] t, output logic [159:0] hash); function logic [159:0] hash_op(input logic [31:0] a, b, c, d, e, w, input logic [7:0] t); ... hash_op = {a1, b1, c1, d1, e1}; endfunction assign hash = hash_op(a, b, c, d, e, w, t); endmodule
Project 3: Both Parts Both calc_num_blocks and hash_block are pure combinational logic modules. Therefore, no Fmax (clock period) will be computed because there will be no clocked flip-flops. Also, the hash_block module has many inputs and outputs, almost 350 “pins”. Therefore, the Fitter (Place & Route) will not work in Quartus since the FPGA device does not have that many pins, so you cannot it run the Fitter part of the compilation process, which is performed by default if you run “Start Compilation”. Instead, you should just run “Start -> Start Analysis & Synthesis” from the “Processing” menu for both parts in Project 3.
Project 4 Design the complete sha1 module module sha1(input logic clk, reset_n, start, input logic [31:0] message_addr, size, output_addr, output logic done, mem_clk, mem_we, output logic [15:0] mem_addr, output logic [31:0] mem_write_data, input logic [31:0] mem_read_data); ... endmodule
Testbenches Testbenches are provided for Projects 3 and 4