For both SHA-1 and SHA-256, one begins by converting the message to a unique representation of the message that is a multiple of 512 bits in length, without loss of information about its exact original length in bits, as follows: append a 1 to the message. Then add as many zeroes as necessary to reach the target length, which is the next possible length that is 64 bits less than a whole multiple of 512 bits. Finally, as a 64-bit binary number, append the original length of the message in bits.
Expand each block of 512, when it becomes time to use it, into a source of 80 32-bit subkeys as follows: the first 16 subkeys are the block itself. All remaining subkeys are generated as follows: subkey N is the exclusive OR of subkeys N-3, N-8, N-14, and N-16, subjected to a circular left shift of one place. (This is the mysterious circular left shift added after the original version of SHA was released.)
Starting from the 160-bit block value (in hexadecimal)
67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0
as input for the processing of the first 512-bit block of the modified message,
for each message block, do the following:
Encipher the starting value using the 80 subkeys for the current message block.
Add each of the 32-bit pieces of the ciphertext result to the starting value, modulo 2^32, of course, and use that result as the starting value for handling the next message block.
The starting value created at the end of handling the last block is the hash value, which is 160 bits long.
The main calculation in SHA enciphers a 160-bit block using 80 32-bit subkeys in 80 rounds. This calculation is somewhat similar to a series of Feistel rounds, except that instead of dividing the block into two halves, it is divided into five pieces. An F-function is calculated from four of the five pieces, although it is really the XOR of a function of three of the pieces and a circular left shift of a fourth, and XORed with one piece, which is also modified by being XORed with the current round's subkey and a constant. The same constant is used over each group of 20 rounds. One of the other blocks is also altered by undergoing a circular left shift, and then the (160-bit) blocks are rotated.
The F-function, as well as the constant, is changed every 20 rounds.
Calling the five pieces of the 160-bit block being "encrypted" a, b, c, d, and e, the rounds of the SHA "block cipher" component proceed as follows:
The following diagram:
illustrates the operation of the Secure Hash Algorithm.
New algorithms were announced shortly after the selection of Rijndael as the Advanced Encryption Standard, SHA-256, SHA-384, and SHA-512. The SHA-384 algorithm is essentially the same as the SHA-512 algorithm, but with a different starting value, and with the final result truncated to 384 bits. Although full specifications for the three new algorithms are available here, I thought I might explain them here as well. (Although I have a description of RIPE-MD available, it was rather too complicated to easily describe in full.)
The SHA-256 algorithm is very similar in structure to SHA-1, but not only does it use eight, rather than five, 32-bit subblocks, but there are other ways in which it is not analogous.
For SHA-256, the message is padded, and divided into 512-bit blocks, in the same way as for SHA-1.
From each block, considered as 16 32-bit words, 64 (rather than 80) 32-bit words are produced, the first 16 being the block itself, and the remaining words being the sum, modulo 2^32, of the following quantities:
One round of the part of SHA-256 that looks like a round of a block cipher is performed for each of these 64 words. For the first block, the initial input values to SHA-256 are:
6A09E667 BB67AE85 3C6EF372 A54FF53A 510E527F 9B05688C 1F83D9AB 5BE0CD19
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13, 17, and 19.
The round function of SHA-256 is as follows:
An intermediate result is calculated, which is equal to the modulo 2^32 sum of
The eighth word of the block is modified by having this intermediate result added to it modulo 2^32.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth word in the block modulo 2^32.
Then, two additional quantities are added to the eighth word in the block modulo 2^32:
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position of the next word in the block, with the first word in the block being replaced by the modified eighth word in the block.
The 64 constant words, added to each word in the expanded block, are:
428A2F98 71374491 B5C0FBCF E9B5DBA5 3956C25B 59F111F1 923F82A4 AB1C5ED5 D807AA98 12835B01 243185BE 550C7DC3 72BE5D74 80DEB1FE 9BDC06A7 C19BF174 E49B69C1 EFBE4786 0FC19DC6 240CA1CC 2DE92C6F 4A7484AA 5CB0A9DC 76F988DA 983E5152 A831C66D B00327C8 BF597FC7 C6E00BF3 D5A79147 06CA6351 14292967 27B70A85 2E1B2138 4D2C6DFC 53380D13 650A7354 766A0ABB 81C2C92E 92722C85 A2BFE8A1 A81A664B C24B8B70 C76C51A3 D192E819 D6990624 F40E3585 106AA070 19A4C116 1E376C08 2748774C 34B0BCB5 391C0CB3 4ED8AA4A 5B9CCA4F 682E6FF3 748F82EE 78A5636F 84C87814 8CC70208 90BEFFFA A4506CEB BEF9A3F7 C67178F2
After this has been done 64 times, the final result is the sum, by individual words modulo 2^32, of the result of this transformation and the original eight-word input.
Thus, one important difference between SHA-256 and SHA-1 is that the nonlinear functions do not change during the hashing of a block, but instead of having only four constants, each of which is used for 20 words, there are now 64 constants, each used for only one word.
SHA-512 is very similar to SHA-256, but not in the way that SHA-256 is similar to SHA-1. SHA-256 and SHA-1 both operate on 32-bit words, although the former operates on a block of eight of them, and the latter operates on a block of five of them. On the other hand, SHA-512 operates on eight 64-bit words, but the procedure it applies to them closely resembles that of SHA-256.
From each block, considered as 16 64-bit words, 80 64-bit words are produced, the first 16 being the block itself, and the remaining words being the sum, modulo 2^64, of the following quantities:
One round of the part of SHA-512 that looks like a round of a block cipher is performed for each of these 80 words. For the first block, the initial input values to SHA-512 are:
6A09E66713BCC908 BB67AE8584CAA73B 3C6EF372FE94F82B A54FF53A5F1D36F1 510E527FADE682D1 9B05688C2B3E6C1F 1F83D9ABFB41BD6B 5BE0CD19137E2179
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13, 17, and 19.
The round function of SHA-512 is as follows:
An intermediate result is calculated, which is equal to the modulo 2^32 sum of
The eighth word of the block is modified by having this intermediate result added to it modulo 2^64.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth word in the block modulo 2^64, and this is the permanent modification of that word for the round.
Then, two additional quantities are also added to the eighth word in the block modulo 2^64:
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position of the next word in the block, with the first word in the block being replaced by the modified eighth word in the block.
The 80 constant words used in SHA-512, derived from the fractional parts of the cube roots of the first eighty primes, are:
428A2F98D728AE22 7137449123EF65CD B5C0FBCFEC4D3B2F E9B5DBA58189DBBC 3956C25BF348B538 59F111F1B605D019 923F82A4AF194F9B AB1C5ED5DA6D8118 D807AA98A3030242 12835B0145706FBE 243185BE4EE4B28C 550C7DC3D5FFB4E2 72BE5D74F27B896F 80DEB1FE3B1696B1 9BDC06A725C71235 C19BF174CF692694 E49B69C19EF14AD2 EFBE4786384F25E3 0FC19DC68B8CD5B5 240CA1CC77AC9C65 2DE92C6F592B0275 4A7484AA6EA6E483 5CB0A9DCBD41FBD4 76F988DA831153B5 983E5152EE66DFAB A831C66D2DB43210 B00327C898FB213F BF597FC7BEEF0EE4 C6E00BF33DA88FC2 D5A79147930AA725 06CA6351E003826F 142929670A0E6E70 27B70A8546D22FFC 2E1B21385C26C926 4D2C6DFC5AC42AED 53380D139D95B3DF 650A73548BAF63DE 766A0ABB3C77B2A8 81C2C92E47EDAEE6 92722C851482353B A2BFE8A14CF10364 A81A664BBC423001 C24B8B70D0F89791 C76C51A30654BE30 D192E819D6EF5218 D69906245565A910 F40E35855771202A 106AA07032BBD1B8 19A4C116B8D2D0C8 1E376C085141AB53 2748774CDF8EEB99 34B0BCB5E19B48A8 391C0CB3C5C95A63 4ED8AA4AE3418ACB 5B9CCA4F7763E373 682E6FF3D6B2B8A3 748F82EE5DEFB2FC 78A5636F43172F60 84C87814A1F0AB72 8CC702081A6439EC 90BEFFFA23631E28 A4506CEBDE82BDE9 BEF9A3F7B2C67915 C67178F2E372532B CA273ECEEA26619C D186B8C721C0C207 EADA7DD6CDE0EB1E F57D4F7FEE6ED178 06F067AA72176FBA 0A637DC5A2C898A6 113F9804BEF90DAE 1B710B35131C471B 28DB77F523047D84 32CAAB7B40C72493 3C9EBE0A15C9BEBC 431D67C49C100D4C 4CC5D4BECB3E42B6 597F299CFC657E2A 5FCB6FAB3AD6FAEC 6C44198C4A475817
After this has been done 80 times, the final result is the sum, by individual words modulo 2^64, of the result of this transformation and the original eight-word input.
As noted above, SHA-384 is identical to SHA-512, except that only the first 384 bits of the hash value are used, and the starting value to the portion that manipulates an eight-word block is different.
It is:
CBBB9D5DC1059ED8 629A292A367CD507 9159015A3070DD17 152FECD8F70E5939 67332667FFC00B31 8EB44A8768581511 DB0C2E0D64F98FA7 47B5481DBEFA4FA4