# Computational Theory

## Introduction

This notebook implements key components of SHA-256 as defined in the Secure Hash Standard (FIPS 180-4).  
SHA-256 is a cryptographic hash function widely used in computing including Bitcoin, SSL/TLS Certification, digital signatures, passwords etc.

### Purpose
The implementation demonstrates understanding of:
- Bitwise logical operations and bit manipulation
- Constant generation
- Message padding for fixed block cyphers

### Structure

This notebook is organised into five problems per the assignment requirements.  
1. Binary Words & Operations - Implementing the seven logical functions used in SHA-256
2. Fractional Parts of Cube Roots - Generating 64 constants from prime number cube roots
3. Padding - Message processing with proper padding to ensure 512-bit blocks
4. Hashes - 
5. Passwords - 
- Technical Glossary - Section for defining operations & common terms used across multiple problems to prevent repeating definitions constantly.

### References
[FIPS 180-4: Secure Hash Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)  
[Markdown Style Guidance](https://www.markdownguide.org)  
[PEP 257: Docstring Conventions](https://peps.python.org/pep-0257/)  
[NumPy Documentation](https://numpy.org/doc/stable/)  
[Claude Code For Debugging, Explanations & General Help/Spitballing](https://claude.ai/) 

Additional references provided in-line throughout the notebook.



## Imports

In [1]:
import numpy as np
from typing import Generator 

## Technical Glossary

This section defines operations & technical terms used throughout the implementation of solutions for the problems set out in the assignment.  

### Bitwise Logical Operations
**Bitwise Operations** are operations that work on the individiual bits of a binary number. Applying the operator to each bit individually but all bits simulatenously.

**XOR (Exclusive OR)**  
Outputs 1 when the input bits are different.  

| A | B | A ⊕ B |
|---|---|-------|
| 0 | 0 |   0   |
| 0 | 1 |   1   |
| 1 | 0 |   1   |
| 1 | 1 |   0   |

**AND**  
Outputs 1 when both input bits are 1  

| A | B | A & B |
|---|---|-------|
| 0 | 0 |   0   |
| 0 | 1 |   0   |
| 1 | 0 |   0   |
| 1 | 1 |   1   |

**NOT**  
Output flips the bits  

| A | ¬A |
|---|----|
| 0 | 1  |
| 1 | 0  |

### Bit Manipulation Operations  

- `ROTR^n(x)`: Rotate right -  shifts bits to the right **n** times, 'fallen' bits move back to the left (start)
- `SHR^n(x)`: Logical shift right - shifts bits to the right **n** times; fills left with zeros  


### Common Terms

- **Bitwise Operation**: Performs an operation on each individual bit 
- **32-bit unsigned integer**: An integer represented by 32 individual bits in a binary sequence. "Unsigned" meaning non-negative values.
- **Diffusion**: Where the input changes are spread throughout the output  

See: [FIPS 180-4, Sections 2.2.2 and 3.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

## Problem 1 - Binary Words & Operations

### Implementing Parity

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, Section 4.1.2, p.10) as:
>
>$\text{Parity}(x, y, z) = x \oplus y \oplus z$
>

  
**How it works**:  
Chains XOR operations across three 32-bit integers.  
Since XOR is a binary operation it takes 2 inputs. The expression is evaluated as $(x \oplus y) \oplus z$. The result of x XOR y is then, result XOR z.  

Each output bit is 1 if there is an odd number of input bits set to 1, otherwise 0. This is why its called "Parity" it checks the parity(odd/even count) of bits at each position.


**Example**  
X       =   0110  
Y       =   1110  
Z       =   0010  

Output  =   1010

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [2]:
def parity(x: int, y: int, z: int) -> np.uint32:
    """
    Bitwise Parity: output bit is 1 if an odd number of input bits are 1.

    Parameters
    ----------
        x, y, z (int / numpy.uint32)
            32-bit unsigned integers.

    Returns
    -------
        numpy.uint32
            The parity of the three integers.

    Raises
    ------
        TypeError
            If any argument is not an integer.
    """

    # Loop over each passed parameter
    for args in (x, y, z):
        # Use isInstance to ensure correct type (object, desired type)
        # See: https://www.w3schools.com/python/ref_func_isinstance.asp
        if not isinstance(args, (int, np.integer)):
            # Raises / Throws a TypeError with a message
            raise TypeError("All arguments must be integers. No other types are allowed.")

    # Cast all inputs as NumPy unsigned 32-bit integers.
    # See: https://numpy.org/doc/stable/reference/arrays.scalars.html#numpy.uint32
    x, y, z = np.uint32(x), np.uint32(y), np.uint32(z)

    # Apply bitwise XOR (^) to the three inputs and return
    return x ^ y ^ z

#### Test Cases (Parity)

Checking
- Correct results for trivial values
- Correct results for non-trivial values
- Type enforcement (raise TypeError for non-integer values)

In [3]:
def test_valid_parity():
    assert parity(1, 0, 0) == np.uint32(1)      # Odd number of 1s
    assert parity(1, 1, 0) == np.uint32(0)      # Even number of 1s
    assert parity(5, 12, 6) == np.uint32(15)    # General (non-trivial) case

def test_parity_type_error():
    try:
        parity(1.5, 2, 3)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")
    
test_valid_parity()
test_parity_type_error()

print("All test cases pass")

All test cases pass


### Implementing Choose (Ch)

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, Section 4.1.2 p.10) as:
>
>$\text{Ch}(x, y, z) = (x \land y) \oplus (\lnot x \land z)$
>


**How it works**:  
The ch functions uses x as a selector mask. For each bit position , if x is 1, the output takes the bit from y.  
If x is 0, the output takes the bit from z.  

This is achieved by calculating $(x \land y)$ to select bits from y where x is 1, then $(\lnot x \land z)$ to select bits from z where x is 0. Then XOR the results together.

**Example**  
X       =   1110  
Y       =   1010  
Z       =   1111  

Output  =   1011

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [4]:
def ch(x: int, y: int, z: int) -> np.uint32:
    """
    Bitwise Choose: return bits from y where x is 1, and bits from z where x is 0.

    Parameters
    ----------
        x, y, z : int
            32-bit unsigned integers.

    Returns
    -------
        numpy.uint32
            The output 'masked' value of the three integers.

    Raises
    ------
        TypeError
            If any argument is not an integer.
    """

    # Loop over the parameters passed
    for args in (x, y, z):
        # Use isinstance + raise TypeError as before
        # See: Problem 1 -> Implementing Parity
        if not isinstance(args, (int, np.integer)):
            raise TypeError("All arguments must be integers. No other types are allowed.")

    # Cast values as before, see: Problem 1 -> Implementing Parity
    x, y, z = np.uint32(x), np.uint32(y), np.uint32(z)

    # Perform the bitwise operation and return the value
    return (x & y) ^ (~x & z)

#### Test Cases (Choose)

Checking
- Correct results for trivial values
- Correct results for non-trivial values
- Type enforcement (raise TypeError for non-integer values)

In [5]:
# Same test cases and checks as Problem 1 -> Parity
def test_valid_ch():
    assert ch(1, 0, 0) == np.uint32(0)
    assert ch(1, 1, 0) == np.uint32(1)
    assert ch(5, 12, 6) == np.uint32(6)

def test_ch_type_error():
    try:
        ch(1.5, 2, 3)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")

test_valid_ch()
test_ch_type_error()

print("All test cases pass")

All test cases pass


### Implementing Majority (Maj)

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, Section 4.1.2, p.10) as:
>
>$\text{maj}(x, y, z) = (x \land y) \oplus (x \land z) \oplus (y \land z)$
>

**How it works**:  
The Maj functions implements majority voting at each bit position. For each bit, the output is 1 if atleast two input bits are 1, otherwise 0.  
This is computed by taking the AND of each pair of inputs $(x \land y)$, $(x \land z)$, and $(y \land z)$, then XOR the three results together.


**Example**  
X       =   11101110  
Y       =   10100101  
Z       =   11111001  

Output  =   11101101

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [6]:
def maj(x: int, y: int, z: int) -> np.uint32:
    """
    Bitwise Majority: output bit is 1 if two or more input bits are 1.

    Parameters
    ----------
        x, y, z : int
            32-bit unsigned integers.

    Returns
    -------
        numpy.uint32
            The output 'voted' values of the three integers.

    Raises
    ------
        TypeError
            If any argument is not an integer.
    """

    # Loop over args, use isinstance & raise TypeError as before
    # See: Problem 1 -> Implementing Parity
    for args in (x, y, z):
        if not isinstance(args, (int, np.integer)):
            raise TypeError("All arguments must be integers. No other types are allowed.")
    
    # Cast values as before, see: Problem 1 -> Implementing Parity
    x, y, z = np.uint32(x), np.uint32(y), np.uint32(z)

    # Perform the bitwise operation & return the value
    return (x & y) ^ (x & z) ^ (y & z)

#### Test Cases (Majority)

Checking
- Correct results for trivial values
- Correct results for non-trivial values
- Type enforcement (raise TypeError for non-integer values)

In [7]:
# Same test cases and checks as Problem 1 -> Implementing Parity
def test_maj_valid():
    assert maj(1, 0, 0) == np.uint32(0)
    assert maj(1, 1, 0) == np.uint32(1)
    assert maj(5, 12, 6) == np.uint32(4)

def test_maj_type_error():
    try:
        maj(1.5, 2, 3)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")

test_maj_valid()
test_maj_type_error()

print("All test cases pass")


All test cases pass


### Implementing Big & Small Sigmas with Helper Functions

#### Helper Functions

The Sigma functions use bit rotation and shifting operations. These helper functions implement ROTR & SHR as defined in FIPS 180-4, Section 3.2 (p.9).

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, p.8-9) as:
>
>$\text{ROTR}^n(x) = (x \gg n) \lor (x \ll (w-n))$
>
>$\text{SHR}^n(x) = x \gg n$
>

- `rotr(x, n)`: Rotate right -  shifts bits to the right **n** times, 'fallen' bits move back to the left (start)
- `shr(x, n)`: Logical shift right - shifts bits to the right **n** times; fills left with zeros.

**Example**  
x = 10110011

rotr(x, 2) = 11101100  
shr(x, 4) = 00001011

See: [FIPS 180-4, Section 3.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [8]:
def rotr(x: int, n: int) -> np.uint32:
    """
    Perform a right rotation on a 32-bit unsigned integer.

    Parameters
    ----------
        x : int
            32-bit unsigned integer to be rotated.
        n : int
            Number of positions to rotate.

    Returns
    -------
        numpy.uint32
            The result of the right rotation as a 32-bit unsigned integer.
    
    Raises
    ------
        TypeError
            If any argument is not an integer.
    """

    # Type check as before
    for args in (x, n):
        if not isinstance(args, (int, np.integer)):
            raise TypeError("All arguments must be integers. No other types are allowed.")
    
    # Early return if n is 0
    if n == 0:
        return x
    
    # Ensure n is within the range of 0-31
    n = n % 32

    # Cast value to ensure correct type and prevent overflow errors
    x = np.uint32(x)

    # Perform the rotation and return the value
    return (x >> n) | (x << (32 - n))

In [9]:
def shr(x: int, n: int) -> np.uint32:
    """
    Perform a logical right shift on a 32-bit unsigned integer.

    Parameters
    ----------
        x : int 
            32-bit unsigned integer to be shifted.
        n : int
            Number of positions to shift.

    Returns
    -------
        numpy.uint32
            The result of the logical right shift as a 32-bit unsigned integer.
    """

    # Type check as before
    for args in (x, n):
        if not isinstance(args, (int, np.integer)):
            raise TypeError("All arguments must be integers. No other types are allowed.")
        
    # Early return if n is 0
    if n == 0:
        return x
    
    # Ensure n is within the range of 0-31
    n = n % 32

    # Cast value to ensure correct type and prevent overflow errors
    x = np.uint32(x)

    # Perform the logical right shift and return the value
    return x >> n

##### Test Cases (Helper Functions)

Checking
- Correct results for passed values
- Type enforcement (raise TypeError for non-integer values)

In [10]:
# Same format for tests as previous sub-problems
def test_rotr_valid():
    assert rotr(10, 1) == np.uint32(5)
    assert rotr(10, 2) == np.uint32(2147483650)
    assert rotr(16, 4) == np.uint32(1)

def test_shr_valid():
    assert shr(10, 1) == np.uint32(5)
    assert shr(10, 2) == np.uint32(2)

def test_rotr_type_error():
    try:
        rotr(1.5, 2)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")

def test_shr_type_error():
    try:
        shr(1.5, 2)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")

test_rotr_valid()
test_shr_valid()
test_rotr_type_error()
test_shr_type_error()

print("All test cases pass")

All test cases pass


#### Big Sigma 0 - $\Sigma_0(x)$

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, Section 4.1.2, p.10) as:
>
>$\Sigma_0(x) = \text{ROTR}^{2}(x) \oplus \text{ROTR}^{13}(x) \oplus \text{ROTR}^{22}(x)$
>  

**How it works**:  
Rotates the input x by three different amounts (2, 13 and 22 bit positions), then XOR the three results together. This makes sure the bit mixing is rigorous.  

The rotation amounts were chosen during SHA-256's development process to ensure optimal security.

**Example**  
x = 10110011

Each bit is rotated **2**, **13** & **22** times, then XOR'd together | (2 XOR 13) XOR 22.  

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)


In [11]:
def big_sigma_0(x: int) -> np.uint32:
    """
    Implementing the Big Sigma 0 function used in SHA-256.

    Parameters
    ----------
        x : int
            32-bit unsigned integer.

    Returns
    -------
        numpy.uint32
            Result of ROTR(2) XOR ROTR(13) XOR ROTR(22)

    Raises
    ------
        TypeError
            If the argument is not an integer.
    """
    
    # Type check as before
    if not isinstance(x, (int, np.integer)):
        raise TypeError("Argument must be an integer. No other types are allowed.")

    # Cast to np.uint32 to ensure correct type
    x = np.uint32(x)

    # Perform the Big Sigma 0 operation and return the value
    return np.uint32(rotr(x, 2) ^ rotr(x, 13) ^ rotr(x, 22))

#### Big Sigma 1 - $\Sigma_1(x)$

**Spec.** Defined in the Secure Hash Standard (FIPS 180-4, Section 4.1.2, p.10) as:
>
>$\Sigma_1(x) = \text{ROTR}^{6}(x) \oplus \text{ROTR}^{11}(x) \oplus \text{ROTR}^{25}(x)$
>  

**How it works**:  
Similar to $\Sigma_0$. Rotates the input x by three different amounts (6, 11 and 25 bit positions), then XOR the three results together. This makes sure the bit mixing is rigorous.  

The rotation amounts were chosen during SHA-256's development process to ensure optimal security.
**Example**  
x = 10110011  

Each bit is rotated **6**, **11** & **25** times, then XOR'd together | (6 XOR 11) XOR 25. 


See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [12]:
def big_sigma_1(x: int) -> np.uint32:
    """
    Implementing the Big Sigma 1 function used in SHA-256.
        
    Parameters
    ----------
        x : int
            32-bit unsigned integer.

    Returns
    -------
        numpy.uint32
            Result of the Big Sigma 1 function as a 32-bit unsigned integer.
    
    Raises
    ------
        TypeError
            If the argument is not an integer.
    """
    
    # Type check as before
    if not isinstance(x, (int, np.integer)):
        raise TypeError("Argument must be an integer. No other types are allowed.")

    # Cast to np.uint32 to ensure correct type as before
    x = np.uint32(x)

    # Perform the Big Sigma 1 operation and return the value
    return np.uint32(rotr(x, 6) ^ rotr(x, 11) ^ rotr(x, 25))

##### Test Cases (Big Sigma(s))

Checking:
- Correct mathematical implementation by comparing with manual calculations using helper functions
- Type enforcement (raise TypeError for non-integer values)
- Validation for both Big Sigma 0 and Big Sigma 1 functions

In [13]:
def test_bsigma_0_valid():
    assert big_sigma_0(1)  == np.uint32(rotr(1, 2) ^ rotr(1, 13) ^ rotr(1, 22))
    assert big_sigma_0(5)  == np.uint32(rotr(5, 2) ^ rotr(5, 13) ^ rotr(5, 22))
    assert big_sigma_0(10) == np.uint32(rotr(10, 2) ^ rotr(10, 13) ^ rotr(10, 22))

def test_bsigma_1_valid():
    assert big_sigma_1(1)  == np.uint32(rotr(1, 6) ^ rotr(1, 11) ^ rotr(1, 25))
    assert big_sigma_1(5)  == np.uint32(rotr(5, 6) ^ rotr(5, 11) ^ rotr(5, 25))
    assert big_sigma_1(10) == np.uint32(rotr(10, 6) ^ rotr(10, 11) ^ rotr(10, 25))


def test_bsigma_type_error():
    try:
        big_sigma_0(1.5)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")
    
    try:
        big_sigma_1(1.5)
    except TypeError:
        pass
    else:
         raise AssertionError("Expected TypeError for float input")

test_bsigma_0_valid()
test_bsigma_1_valid()
test_bsigma_type_error()

print("All test cases pass")

All test cases pass


### Small Sigma 0 - $\sigma_0(x)$  

**Specification** (FIPS 180-4, Section 4.1.2, p.10):
>
> $\sigma_0(x) = \text{ROTR}^{7}(x) \oplus \text{ROTR}^{18}(x) \oplus \text{SHR}^{3}(x)$
>  

**How it works**:  
Combines two rotations (7 and 18 bit positions) with one logical right shift (3 positions), then XORs all three results together. Unlike the Big Sigma functions which only use rotation, this function includes a shift operation that discards bits, creating a different mixing pattern.

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [14]:
def small_sigma_0(x: int) -> np.uint32:
    """
    Implementing the Small Sigma 0 function used in SHA-256.

    Parameters
    ----------
        x : int
            32-bit unsigned integer.

    Returns
    -------
        numpy.uint32
            Result of the Small Sigma 0 function as a 32-bit unsigned integer.

    Raises
    ------
        TypeError
            If the argument is not an integer.
    """
    
    # Type check as before
    if not isinstance(x, (int, np.integer)):
        raise TypeError("Argument must be an integer. No other types are allowed.")
    
    # Cast to np.uint32 to ensure correct type as before
    x = np.uint32(x)

    # Perform the Small Sigma 0 operation and return the value
    return np.uint32(rotr(x, 7) ^ rotr(x, 18) ^ shr(x, 3))

### Small Sigma 1 - $\sigma_1(x)$

**Specification** (FIPS 180-4, Section 4.1.2, p.10):
>
> $\sigma_1(x) = \text{ROTR}^{17}(x) \oplus \text{ROTR}^{19}(x) \oplus \text{SHR}^{10}(x)$
>  

**How it works**:  
Combines two rotations (17 and 19 bit positions) with one logical right shift (10 positions), then XORs all three results together. Like $\sigma_0$, this uses both rotation and shift operations for bit mixing.

See: [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [15]:
def small_sigma_1(x: int) -> np.uint32:
    """
    Implementing the Small Sigma 1 function used in SHA-256.

    Parameters
    ----------
        x : int 
            32-bit unsigned integer.

    Returns
    -------
        numpy.uint32
            Result of the Small Sigma 1 function as a 32-bit unsigned integer.
    
    Raises
    ------
        TypeError
            If the argument is not an integer.
    """

    # Type check as before
    if not isinstance(x, (int, np.integer)):
        raise TypeError("Argument must be an integer. No other types are allowed.")

    # Cast to np.uint32 to ensure correct type as before
    x = np.uint32(x)

    # Perform the Small Sigma 1 operation and return the value
    return np.uint32(rotr(x, 17) ^ rotr(x, 19) ^ shr(x, 10))

##### Test Cases (Small Sigma(s))

Checking:
- Correct mathematical implementation by comparing with manual calculations using helper functions
- Type enforcement (raise TypeError for non-integer values)
- Validation for both Small Sigma 0 and Small Sigma 1 functions

In [16]:
def test_ssigma_0_valid():
    assert small_sigma_0(1)  == np.uint32(rotr(1, 7) ^ rotr(1, 18) ^ shr(1, 3))
    assert small_sigma_0(5)  == np.uint32(rotr(5, 7) ^ rotr(5, 18) ^ shr(5, 3))
    assert small_sigma_0(10) == np.uint32(rotr(10, 7) ^ rotr(10, 18) ^ shr(10, 3))

def test_ssigma_type_error():
    try:
        small_sigma_0(1.5)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")
    
    try:
        small_sigma_1(1.5)
    except TypeError:
        pass
    else:
         raise AssertionError("Expected TypeError for float input")

test_ssigma_0_valid()
test_ssigma_type_error()

print("All test cases pass")

All test cases pass


## Problem 2 - Fractional Parts of Cube Roots

### Implementing Primes

**What is a prime number** A prime number is divisible by itself and 1 only.

**Spec.** SHA-256 derives constants based off prime numbers.

Constants listed in the Secure Hash Standard  
See: [FIPS 180-4, Sections 4.2.2, p.11](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

  
**How it works**:  
- Performs input & type validation
- Create a list with first prime (2)
- Loops until the list of `primes` is length of `n`
- Checks if the number is divisible by any of the current primes found
- Jumps 2 numbers to check at a time (all even numbers > 2 aren't prime)



References:  
See: [GeeksForGeeks Code Example](https://www.geeksforgeeks.org/dsa/generate-and-print-first-n-prime-numbers/)


In [17]:
def primes(n: int) -> list[int]:
    """
    Generate the first n prime numbers.

    Parameters
    ----------
        n : int

    Returns
    -------
        list[int]
            A list of the first n prime numbers.

    Raises
    ------
        TypeError
            If the argument is not an integer.
        ValueError
            If the argument is not a positive integer.
    """
    # Type check as before
    if not isinstance(n, (int, np.integer)):
        raise TypeError("Argument must be an integer.")
    
    # Ensure n is a positive integer
    if n <= 0:
        raise ValueError("Argument must be a positive integer.")

    # Start with the first prime number in a list
    primes = [2]

    # Start checking for primes from 3 onwards
    num = 3

    # Loop until we have calculated n primes
    while len(primes) < n:
        # Assume number is prime to start
        is_prime = True

        for i in range(len(primes)):
            # Check to see if current number is divisible by any previous primes
            if num % primes[i] == 0:
                # If it is, its not a prime number, skip to next number
                is_prime = False
                break
        
        # If number is still prime, add to list
        if is_prime:
            primes.append(num)

        # Skip even numbers, even numbers above 2 are not prime
        num += 2  

    # Return completed list
    return primes

#### Testing Prime

- Tests to see if the function can return the first N Prime numbers.
- Ensure the correct errors are being raised for passed args.

In [18]:
def test_prime_valid():
    assert primes(5) == [2, 3, 5, 7, 11]
    assert primes(10) == [2, 3, 5, 7, 11, 13, 17, 19, 23, 29]

def test_prime_type_value_error():
    try:
        primes(1.5)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")
    
    try:
        primes(-5)
    except ValueError:
        pass
    else:
         raise AssertionError("Expected ValueError for negative input")
    
test_prime_valid()
test_prime_type_value_error()

print("All test cases pass")

All test cases pass


### Calculating Cube Roots

**What is a cube root?** The cube root of a number x is the value that, when multiplied by itself three times, equals x.  

**Why cube roots?** SHA-256 uses the first 32 bits of the fractional parts of cube roots of the first 64 primes as round constants (K values). These mathematically-derived values follow the "nothing up my sleeve" principle, providing assurance against intentional weaknesses.

**The process:**
1. Calculate the cube root of each prime
2. Extract the fractional part (the digits after the decimal: 0.2599...)
3. Convert to 32-bit representation by multiplying by 2^32 and truncating to integer
4. Display as 8-character hexadecimal string

This matches the first K constant in Secure Hash Standard

See: [FIPS 180-4, Section 4.2.2, p.11](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [19]:
def calc_cube_roots(n: int) -> list[str]:
    """
    Calculate the cube roots of a list of prime numbers.

    Parameters
    ----------
        n : int
            The number of cube roots to calculate.

    Returns
    -------
        list[str]
            A list of hexadecimal strings representing the cube roots.

    Raises
    ------
        TypeError
            If the argument is not a list of integers.
    """
    # Type check as before
    if not isinstance(n, (int, np.integer)):
        raise TypeError("Argument must be an integer.")

    # Get the first n primes from function above
    primes_list = primes(n)

    # Create an empty list to store results
    hex_cube_roots = []

    # Loop over each prime number
    for p in primes_list:
        # Calculate the cube root using numpy.cbrt
        # See: https://numpy.org/doc/stable/reference/generated/numpy.cbrt.html
        cube_root = np.cbrt(p)

        # Extract the fractional part of the cube root
        fractional_part = cube_root % 1

        # Convert the fractional number to 32-bit by multiplying by 2^32
        full_32bit = int(fractional_part * (2**32))

        # Convert to hexadecimal and format to 8 characters
        # See: https://docs.python.org/3/library/functions.html#hex
        hex_value = format(full_32bit, '08x')

        # Append to results list
        hex_cube_roots.append(hex_value)

        # Print the results
        print(hex_value)

    # Return the list of strings
    return hex_cube_roots

#### Test Cases (Cube Roots)

**Testing**:
- Correct calculation of cube roots for first 64 primes
- Proper hexadecimal formatting (8 characters each)
- Type enforcement for invalid inputs
- Validation against SHA-256 K constants 

See: [FIPS 180-4, Section 4.2.2, p.11](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf)


In [20]:
def test_cube_roots():
    # SHA-256 round constants (first 64 cube roots of primes)
    # See: FIPS 180-4, Section 4.2.2, p.11
    # https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf
    secure_hash_constants = ["428a2f98", "71374491", "b5c0fbcf", "e9b5dba5", "3956c25b", "59f111f1", "923f82a4", "ab1c5ed5",
        "d807aa98", "12835b01", "243185be", "550c7dc3", "72be5d74", "80deb1fe", "9bdc06a7", "c19bf174",
        "e49b69c1", "efbe4786", "0fc19dc6", "240ca1cc", "2de92c6f", "4a7484aa", "5cb0a9dc", "76f988da",
        "983e5152", "a831c66d", "b00327c8", "bf597fc7", "c6e00bf3", "d5a79147", "06ca6351", "14292967",
        "27b70a85", "2e1b2138", "4d2c6dfc", "53380d13", "650a7354", "766a0abb", "81c2c92e", "92722c85",
        "a2bfe8a1", "a81a664b", "c24b8b70", "c76c51a3", "d192e819", "d6990624", "f40e3585", "106aa070",
        "19a4c116", "1e376c08", "2748774c", "34b0bcb5", "391c0cb3", "4ed8aa4a", "5b9cca4f", "682e6ff3",
        "748f82ee", "78a5636f", "84c87814", "8cc70208", "90befffa", "a4506ceb", "bef9a3f7", "c67178f2"
    ]

    calculated_constants = calc_cube_roots(64)
    assert calculated_constants == secure_hash_constants, "Calculated constants do not match expected values."

def test_cube_roots_type_error():
    try:
        calc_cube_roots(1.5)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for float input")

test_cube_roots()
test_cube_roots_type_error()
print("All test cases pass")

428a2f98
71374491
b5c0fbcf
e9b5dba5
3956c25b
59f111f1
923f82a4
ab1c5ed5
d807aa98
12835b01
243185be
550c7dc3
72be5d74
80deb1fe
9bdc06a7
c19bf174
e49b69c1
efbe4786
0fc19dc6
240ca1cc
2de92c6f
4a7484aa
5cb0a9dc
76f988da
983e5152
a831c66d
b00327c8
bf597fc7
c6e00bf3
d5a79147
06ca6351
14292967
27b70a85
2e1b2138
4d2c6dfc
53380d13
650a7354
766a0abb
81c2c92e
92722c85
a2bfe8a1
a81a664b
c24b8b70
c76c51a3
d192e819
d6990624
f40e3585
106aa070
19a4c116
1e376c08
2748774c
34b0bcb5
391c0cb3
4ed8aa4a
5b9cca4f
682e6ff3
748f82ee
78a5636f
84c87814
8cc70208
90befffa
a4506ceb
bef9a3f7
c67178f2
All test cases pass


## Problem 3 - Padding

### Implementing Block Parse

**Purpose:** SHA-256 processes messages in fixed-size blocks of 512 bits (64 bytes). Messages of arbitrary length must be padded to ensure the final length is a multiple of 512 bits. This function implements the padding scheme and yields message blocks one at a time.

**What is padding?** Padding adds extra data to a message to reach a required length. For SHA-256, padding ensures:
1. The message ends on a block boundary (multiple of 512 bits)
2. The original message length is preserved and authenticated
3. Different messages produce different padded results (no collisions from padding alone)

**Specification** (FIPS 180-4, Sections 5.1.1 and 5.2.1):

The padding process:
1. Append a single '1' bit (byte `0x80` = `10000000` in binary)
2. Append '0' bits until message length ≡ 448 mod 512 (leaves 64 bits remaining)
3. Append original message length as 64-bit big-endian integer
4. Split padded message into 512-bit blocks

**Why this padding scheme?** 
- The '1' bit ensures there's always at least some padding (prevents ambiguity)
- The length field prevents length-extension attacks
- The specific modulo ensures exactly 64 bits remain for the length

**Example:**  
  
Original message: "abc" (24 bits)  
Step 1 - Append '1' bit:     "abc" + 0x80  
Step 2 - Append zeros:        Pad to 448 bits (56 bytes)  
Step 3 - Append length:       Add 0x0000000000000018 (24 in 64-bit)  
Result: Single 512-bit block  
  
**Generator function:** This implementation uses a Python generator, which yields blocks one at a time rather than returning all blocks at once. This is memory-efficient for large messages.

**Jargon explanation:**
- **Generator**: A function that uses `yield` to produce values one at a time, pausing between each
- **Big-endian**: Most significant byte first (standard network byte order)
- **mod 512**: Remainder when divided by 512

See: [FIPS 180-4, Sections 5.1.1 and 5.2.1](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [21]:
def block_parse(msg: bytes) -> Generator[bytes, None, None]:
    """
    Parse a message into 512-bit blocks with proper SHA-256 padding.

    Parameters
    ----------
        msg : bytes
            The input message as a byte string.

    Yields
    ------
        bytes
            The padded message as a byte string, length is a multiple of 64 bytes (512 bits).
    
    Raises
    ------
        TypeError
            If the argument is not a byte string.
    """

    # Type check as before
    if not isinstance(msg, bytes):
        raise TypeError("Argument must be a byte string.")

    # Get the original message length in bits
    origin_bit_len = len(msg) * 8

    # Append the bit '1' to the message (0x80 = 10000000 in binary)
    # See: FIPS 180-4, Section 5.1.1, p.15
    # https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf
    msg += b'\x80'

    # Append '0' bits until message length ≡ 448 mod 512
    # This leaves exactly 64 bits (8 bytes) for the length field
    while (len(msg) % 64) != 56:  # 56 bytes = 448 bits
        msg += b'\x00'
        
    # Append the original message length as a 64-bit big-endian integer
    # See: FIPS 180-4, Section 5.1.1
    # https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf
    msg += origin_bit_len.to_bytes(8, byteorder='big')

    # Now msg length is a multiple of 512 bits (64 bytes)
    # Yield each 512-bit block
    for i in range(0, len(msg), 64):  # 64 bytes = 512 bits
        yield msg[i:i+64]


### Test Cases (Padding)  
- Correct padding for messages of various lengths (short messages, messages near block boundaries)
- Proper block size validation (all output blocks are exactly 64 bytes/512 bits)
- Type enforcement for non-bytes input and verification against known test vectors

In [22]:
def test_block_parse():
    # Test case 1: Empty message
    blocks = list(block_parse(b""))
    assert len(blocks) == 1
    assert len(blocks[0]) == 64  # One block of 512 bits
    assert blocks[0][-8:] == (0).to_bytes(8, byteorder='big')  # Length field is 0

    # Test case 2: Short message
    msg = b"abc"
    blocks = list(block_parse(msg))
    assert len(blocks) == 1
    assert len(blocks[0]) == 64
    expected_length = len(msg) * 8
    assert blocks[0][-8:] == expected_length.to_bytes(8, byteorder='big')

    # Test case 3: Message that requires multiple blocks
    msg = b"a" * 100  # 800 bits
    blocks = list(block_parse(msg))
    assert len(blocks) == 2
    assert all(len(block) == 64 for block in blocks)
    expected_length = len(msg) * 8
    assert blocks[-1][-8:] == expected_length.to_bytes(8, byteorder='big')

    # Test case 4: Type enforcement
    try:
        list(block_parse("not bytes"))  # Should raise TypeError
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for non-bytes input")

test_block_parse()
print("All test cases pass")

All test cases pass


## Problem 4 - Hashes

### Implementing Initial Hash Values - Helper Function

**Purpose:** SHA-256 requires eight initial hash values (H⁽⁰⁾) to begin the hashing process. These serve as the starting state before processing any message blocks. The `hash(current, block)` function needs an intial starting point when processing the first block of a message.

**What are initial hash values?** These are the starting constants used in the SHA-256 algorithm. Like the K constants from Problem 2, they are derived to provide assurance against intentional backdoors.

**Specification** (FIPS 180-4, Section 5.3.3, p.15):

The eight initial hash values are the first 32 bits of the fractional parts of the square roots of the first 8 prime numbers:
```
H⁽⁰⁾₀ = 0x6a09e667    (√2)
H⁽⁰⁾₁ = 0xbb67ae85    (√3)
H⁽⁰⁾₂ = 0x3c6ef372    (√5)
H⁽⁰⁾₃ = 0xa54ff53a    (√7)
H⁽⁰⁾₄ = 0x510e527f    (√11)
H⁽⁰⁾₅ = 0x9b05688c    (√13)
H⁽⁰⁾₆ = 0x1f83d9ab    (√17)
H⁽⁰⁾₇ = 0x5be0cd19    (√19)
```

**Why square roots?** Square roots are used for initial values while cube roots are used for round constants (K values from Problem 2). Both follow the same mathematical derivation principle to ensure the constants are verifiably random.

See: [FIPS 180-4, Section 5.3.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [23]:
def inital_hash_values() -> list[np.uint32]:
    """
    Return the initial hash values for SHA-256 as a list of 32-bit unsigned integers.

    Returns
    -------
        list[numpy.uint32]
            A list of the initial hash values for SHA-256.
    """

    # SHA-256 initial hash values
    # See: FIPS 180-4, Section 5.3.3, p.16
    # https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf
    H = [
        np.uint32(0x6a09e667),  # √2
        np.uint32(0xbb67ae85),  # √3
        np.uint32(0x3c6ef372),  # √5
        np.uint32(0xa54ff53a),  # √7
        np.uint32(0x510e527f),  # √11
        np.uint32(0x9b05688c),  # √13
        np.uint32(0x1f83d9ab),  # √17
        np.uint32(0x5be0cd19)   # √19
    ]
    
    return H

### Implementing Message Schedule - Helper Function

**Purpose:** The message schedule expands a single 512-bit message block into 64 32-bit words. These words are used in the 64 rounds of the compression function. This expansion creates additional diffusion, ensuring each bit of the original block influences the final hash.

**What is the message schedule?** Each 512-bit block is first split into 16 words (32 bits each). Then, 48 additional words are generated using a specific formula that combines previous words with the small sigma functions from Problem 1. This creates 64 words total for the 64 compression rounds.

**Specification** (FIPS 180-4, Section 6.2.2, p.22):

The message schedule process:
1. Split the 512-bit block into 16 words (W₀ through W₁₅)
2. For t = 16 to 63, calculate: Wₜ = σ₁(Wₜ₋₂) + Wₜ₋₇ + σ₀(Wₜ₋₁₅) + Wₜ₋₁₆

Where σ₀ and σ₁ are the small sigma functions implemented in Problem 1.

**Why expand to 64 words?** SHA-256 uses 64 rounds of compression. Each round needs a different word from the message schedule, ensuring the entire message block influences every step of the hash computation.

**Jargon explanation:**
- **Message schedule (W)**: Array of 64 32-bit words derived from one message block
- **Word**: A 32-bit value (4 bytes)
- **Big-endian**: Most significant byte first - used when splitting the block into words

See: [FIPS 180-4, Section 6.2.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [24]:
def message_schedule(block: bytes) -> list[np.uint32]:
    """
    Create the message schedule for a 512-bit block in SHA-256.

    Parameters
    ----------
        block : bytes
            A 64-byte (512-bit) message block.

    Returns
    -------
        list[numpy.uint32]
            A list of 64 32-bit unsigned integers representing the message schedule.

    Raises
    ------
        TypeError
            If the argument is not a byte string.
        ValueError
            If the argument is not 64 bytes long.
    """

    # Type check as before
    if not isinstance(block, bytes):
        raise TypeError("Argument must be a byte string.")
    
    # Ensure block is exactly 64 bytes (512 bits)
    if len(block) != 64:
        raise ValueError("Block must be exactly 64 bytes (512 bits) long.")

    # Initialize the message schedule array with zeros
    W = [np.uint32(0)] * 64

    # First 16 words (W₀ to W₁₅) come directly from the block
    # Split the 512-bit block into 16 chunks of 32 bits (4 bytes each)
    # Use big-endian byte order as specified in FIPS 180-4
    for i in range(16):
        # Extract 4 bytes and convert to a 32-bit unsigned integer
        W[i] = np.uint32(int.from_bytes(block[i*4:(i+1)*4], byteorder='big'))

    # Remaining 48 words (W₁₆ to W₆₃) are calculated using the formula:
    # Wₜ = σ₁(Wₜ₋₂) + Wₜ₋₇ + σ₀(Wₜ₋₁₅) + Wₜ₋₁₆
    # See: FIPS 180-4, Section 6.2.2, step 1
    for i in range(16, 64):
        # Calculate W[i] using the small sigma functions from Problem 1
        W[i] = np.uint32(
            small_sigma_1(W[i - 2]) +
            W[i - 7] +
            small_sigma_0(W[i - 15]) +
            W[i - 16]
        )
        
    return W

### Implementing Compression Function - Helper Function

**Purpose:** The compression function is the core of SHA-256, performing 64 rounds of bitwise operations that mix the current hash state with the message schedule. This is where the actual hashing computation occurs, using all the logical functions from Problem 1.

**What is compression?** Each message block is "compressed" into the hash state through 64 rounds of operations. Each round takes the current working variables (a, b, c, d, e, f, g, h), applies several logical functions, mixes in one word from the message schedule and one K constant, and updates the variables. After 64 rounds, the result is added to the original hash values.

**Specification** (FIPS 180-4, Section 6.2.2, p.22-23):

The compression process:
1. Initialize working variables (a through h) with current hash values
2. For each round t = 0 to 63:
   - Calculate T₁ = h + Σ₁(e) + Ch(e,f,g) + Kₜ + Wₜ
   - Calculate T₂ = Σ₀(a) + Maj(a,b,c)
   - Update working variables by rotating them
3. Add compressed values to original hash values

**Functions used:**
- **Ch** and **Maj** - Logical functions from Problem 1
- **Σ₀** and **Σ₁** - Big Sigma functions from Problem 1
- **K constants** - Round constants from Problem 2
- **W** - Message schedule words from message_schedule() helper function

**Why 64 rounds?** Multiple rounds ensure thorough mixing and diffusion. Each bit of the input influences every bit of the output through the avalanche effect, making it computationally infeasible to reverse or find collisions.

**Jargon explanation:**
- **Working variables**: Temporary values (a-h) that hold intermediate state during compression
- **Round**: One iteration of the compression loop, processing one message schedule word
- **Compression**: Transforming message data into hash state through iterative operations

See: [FIPS 180-4, Section 6.2.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [25]:
def compress(H: list[np.uint32], W: list[np.uint32]) -> list[np.uint32]:
    """
    SHA-256 compression function - performs 64 rounds of operations.
    
    Parameters
    ----------
    H : list[np.uint32]
        Current hash values (8 32-bit words).
    W : list[np.uint32]
        Message schedule (64 32-bit words from message_schedule()).
    
    Returns
    -------
    list[np.uint32]
        Updated hash values after compression (8 32-bit words).
    
    Raises
    ------
    TypeError
        If H or W are not lists.
    ValueError
        If H doesn't have 8 values or W doesn't have 64 values.
    """
    # Type checks
    if not isinstance(H, list) or not isinstance(W, list):
        raise TypeError("H and W must be lists.")
    
    # Length checks
    if len(H) != 8:
        raise ValueError("H must contain exactly 8 hash values.")
    if len(W) != 64:
        raise ValueError("W must contain exactly 64 words.")
    
    # K constants from Problem 2 (first 32 bits of fractional parts of cube roots)
    # See: FIPS 180-4, Section 4.2.2, page 11
    K = [
        np.uint32(0x428a2f98), np.uint32(0x71374491), np.uint32(0xb5c0fbcf), np.uint32(0xe9b5dba5),
        np.uint32(0x3956c25b), np.uint32(0x59f111f1), np.uint32(0x923f82a4), np.uint32(0xab1c5ed5),
        np.uint32(0xd807aa98), np.uint32(0x12835b01), np.uint32(0x243185be), np.uint32(0x550c7dc3),
        np.uint32(0x72be5d74), np.uint32(0x80deb1fe), np.uint32(0x9bdc06a7), np.uint32(0xc19bf174),
        np.uint32(0xe49b69c1), np.uint32(0xefbe4786), np.uint32(0x0fc19dc6), np.uint32(0x240ca1cc),
        np.uint32(0x2de92c6f), np.uint32(0x4a7484aa), np.uint32(0x5cb0a9dc), np.uint32(0x76f988da),
        np.uint32(0x983e5152), np.uint32(0xa831c66d), np.uint32(0xb00327c8), np.uint32(0xbf597fc7),
        np.uint32(0xc6e00bf3), np.uint32(0xd5a79147), np.uint32(0x06ca6351), np.uint32(0x14292967),
        np.uint32(0x27b70a85), np.uint32(0x2e1b2138), np.uint32(0x4d2c6dfc), np.uint32(0x53380d13),
        np.uint32(0x650a7354), np.uint32(0x766a0abb), np.uint32(0x81c2c92e), np.uint32(0x92722c85),
        np.uint32(0xa2bfe8a1), np.uint32(0xa81a664b), np.uint32(0xc24b8b70), np.uint32(0xc76c51a3),
        np.uint32(0xd192e819), np.uint32(0xd6990624), np.uint32(0xf40e3585), np.uint32(0x106aa070),
        np.uint32(0x19a4c116), np.uint32(0x1e376c08), np.uint32(0x2748774c), np.uint32(0x34b0bcb5),
        np.uint32(0x391c0cb3), np.uint32(0x4ed8aa4a), np.uint32(0x5b9cca4f), np.uint32(0x682e6ff3),
        np.uint32(0x748f82ee), np.uint32(0x78a5636f), np.uint32(0x84c87814), np.uint32(0x8cc70208),
        np.uint32(0x90befffa), np.uint32(0xa4506ceb), np.uint32(0xbef9a3f7), np.uint32(0xc67178f2)
    ]
    
    # Initialize working variables with current hash values
    # See: FIPS 180-4, Section 6.2.2, step 2
    a, b, c, d, e, f, g, h = H
    
    # Perform 64 rounds of compression
    # See: FIPS 180-4, Section 6.2.2, step 3
    for t in range(64):
        # Calculate T1 using h, big sigma 1, Ch function, K constant, and message word
        # T₁ = h + Σ₁(e) + Ch(e,f,g) + Kₜ + Wₜ
        T1 = np.uint32(h + big_sigma_1(e) + ch(e, f, g) + K[t] + W[t])
        
        # Calculate T2 using big sigma 0 and Maj function
        # T₂ = Σ₀(a) + Maj(a,b,c)
        T2 = np.uint32(big_sigma_0(a) + maj(a, b, c))
        
        # Update working variables (rotate down the chain)
        # See: FIPS 180-4, Section 6.2.2, step 3
        h = g
        g = f
        f = e
        e = np.uint32(d + T1)
        d = c
        c = b
        b = a
        a = np.uint32(T1 + T2)
    
    # Compute intermediate hash values by adding compressed values to original
    # See: FIPS 180-4, Section 6.2.2, step 4
    H_new = [
        np.uint32(H[0] + a),
        np.uint32(H[1] + b),
        np.uint32(H[2] + c),
        np.uint32(H[3] + d),
        np.uint32(H[4] + e),
        np.uint32(H[5] + f),
        np.uint32(H[6] + g),
        np.uint32(H[7] + h)
    ]
    
    return H_new

### Implementing The Hash Function

**Purpose:** The `hash(current, block)` function is the main SHA-256 computation function required for this Problem. It takes the current hash state and a message block, then returns the updated hash state after processing that block.

**What does this function do?** This function orchestrates the SHA-256 compression process:
1. Expands the 512-bit block into 64 words using the message schedule
2. Compresses those words into the current hash state using 64 rounds of operations
3. Returns the new hash state

This function is called once for each 512-bit block of the padded message.

**Specification** (FIPS 180-4, Section 6.2.2, p.22):

For each message block:
1. Prepare the message schedule (W)
2. Initialize working variables with current hash values
3. Perform 64 rounds of compression
4. Compute new hash values

**How it fits together:**
- **Input:** Current hash values (from `initial_hash()` or previous block) + one message block (from `block_parse()`)
- **Process:** Uses `message_schedule()` and `compress()` 
- **Output:** Updated hash values ready for next block

See: [FIPS 180-4, Section 6.2.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [26]:
def hash(current: list[np.uint32], block: bytes) -> list[np.uint32]:
    """
    Perform one iteration of the SHA-256 hash function on a given block.

    Parameters
    ----------
        current : list[numpy.uint32]
            Current hash values (8 32-bit words).
        block : bytes
            A 64-byte (512-bit) message block.

    Returns
    -------
        list[numpy.uint32]
            Updated hash values after processing the block.

    Raises
    ------
        TypeError
            If current is not a list or block is not a byte string.
        ValueError
            If current doesn't have 8 values or block doesn't have 64 bytes.
    """

    # Type checks as before
    if not isinstance(current, list):
        raise TypeError("Current hash values must be provided as a list.")
    if not isinstance(block, bytes):
        raise TypeError("Block must be a byte string.")

    # Length checks as before
    if len(current) != 8:
        raise ValueError("Current hash values list must contain exactly 8 values.")
    if len(block) != 64:
        raise ValueError("Block must be exactly 64 bytes (512 bits) long.")

    # Create the message schedule from the block
    W = message_schedule(block)

    # Perform the compression function
    new_hash = compress(current, W)

    # Perform the compression function and return updated hash values
    return new_hash

### Test Cases (Hashes)

**Testing**:
- Correct implementation of initial hash values (8 values, proper constants)
- Valid message schedule expansion from 16 to 64 words
- Compression function correctness (produces different output, proper length)
- Complete hash function integration with type validation
- Type enforcement for invalid inputs (non-bytes, non-list, wrong lengths)
- Proper 32-bit unsigned integer handling with overflow suppression

Note: Tests use overflow suppression (`np.errstate(over='ignore')`) to handle expected 32-bit wraparound behavior in SHA-256 operations.

See: [FIPS 180-4, Section 6.2.2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)

In [27]:
def test_hash_components():
    # Test initial hash values
    initial_vals = inital_hash_values()
    assert len(initial_vals) == 8
    assert initial_vals[0] == np.uint32(0x6a09e667)
    assert initial_vals[1] == np.uint32(0xbb67ae85)
    
    # Test message schedule with empty block
    empty_block = b'\x00' * 64
    W = message_schedule(empty_block)
    assert len(W) == 64
    assert W[0] == np.uint32(0)  # First word should be 0
    
    # Test compression function
    H = inital_hash_values()
    W_test = [np.uint32(0)] * 64
    
    # Suppress overflow warnings for expected 32-bit wraparound behavior
    with np.errstate(over='ignore'):
        H_new = compress(H, W_test)
    
    assert len(H_new) == 8
    assert H_new != H  # Should be different after compression
    
    # Test complete hash function
    test_block = b'a' * 64  # 64 bytes of 'a'
    
    with np.errstate(over='ignore'):
        H_result = hash(H, test_block)
    
    assert len(H_result) == 8
    assert all(isinstance(val, np.uint32) for val in H_result)

def test_hash_type_errors():
    # Test message_schedule type errors
    try:
        message_schedule("not bytes")
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for non-bytes input")
    
    try:
        message_schedule(b'short')  # Wrong length
    except ValueError:
        pass
    else:
        raise AssertionError("Expected ValueError for wrong block length")
    
    # Test hash function type errors
    try:
        hash("not list", b'\x00' * 64)
    except TypeError:
        pass
    else:
        raise AssertionError("Expected TypeError for non-list current")

test_hash_components()
test_hash_type_errors()
print("All test cases pass")

All test cases pass


## Problem 5 - Passwords

### Problem 5: Password Analysis

The following SHA-256 hashes represent three common passwords that were hashed using a single pass of SHA-256 with UTF-8 encoding:

1. `5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8`
2. `873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34`
3. `b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342`

#### Cracking Methods

Several approaches exist for recovering passwords from hashes:

**Dictionary Attack:** Try hashing common passwords from a wordlist until a match is found. Fast but limited to passwords in the dictionary.

**Brute Force:** Try all possible character combinations. Exhaustive but extremely time-consuming for longer passwords.

**Rainbow Tables:** Pre-computed tables mapping common passwords to their hashes. Instant lookup but requires storage and only works for unsalted hashes.

#### Attack Used: Rainbow Table Lookup

The passwords were cracked using an online rainbow table service in under one minute:

1. `5e884898...` → **"password"**
2. `873ac9ff...` → **"cheese"**  
3. `b03ddf3c...` → **"P@ssw0rd"**

See: [CrackStation - Free Password Hash Cracker](https://crackstation.net/)

**Why this worked:** These are common passwords with no salt, hashed with a fast algorithm. Rainbow tables contain pre-computed hashes for millions of common passwords, making lookup instant.

#### Verification

The following code verifies these passwords using our SHA-256 implementation from Problems 1-4:

In [29]:
def sha256_complete(message: str) -> str:
    """
    Complete SHA-256 hash function using our implementations.
    
    Combines block_parse() from Problem 3, initial_hash() and hash()
    from Problem 4 to produce the final SHA-256 hash.
    
    Parameters
    ----------
    message : str
        The message to hash (will be UTF-8 encoded).
    
    Returns
    -------
    str
        The SHA-256 hash as a 64-character hexadecimal string.
    """
    # Encode the message as UTF-8 bytes
    msg_bytes = message.encode('utf-8')
    
    # Get initial hash values
    H = inital_hash_values()
    
    # Process each 512-bit block with overflow warning suppression
    with np.errstate(over='ignore'):
        for block in block_parse(msg_bytes):
            H = hash(H, block)
    
    # Convert final hash values to hexadecimal string
    # Each of the 8 hash values is formatted as 8 hex characters
    hex_hash = ''.join(format(h, '08x') for h in H)
    
    return hex_hash


# The cracked passwords
passwords = ["password", "cheese", "P@ssw0rd"]

# The original hashes from the problem
expected_hashes = [
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8",
    "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34",
    "b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342"
]

# Verify each password
print("Verifying cracked passwords using our SHA-256 implementation:\n")
# Loop over each password and its expected hash using enumerate for indexing
for i, (pwd, expected) in enumerate(zip(passwords, expected_hashes), 1):
    # Hash the password using our implementation
    computed = sha256_complete(pwd)
    
    # Check if it matches
    match = computed == expected
    status = "✓ MATCH" if match else "✗ NO MATCH"
    
    print(f"Password {i}: '{pwd}'")
    print(f"  Expected:  {expected}")
    print(f"  Computed:  {computed}")
    print(f"  {status}\n")

print("All passwords verified successfully using our SHA-256 implementation!")

Verifying cracked passwords using our SHA-256 implementation:

Password 1: 'password'
  Expected:  5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
  Computed:  5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
  ✓ MATCH

Password 2: 'cheese'
  Expected:  873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34
  Computed:  873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34
  ✓ MATCH

Password 3: 'P@ssw0rd'
  Expected:  b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342
  Computed:  b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342
  ✓ MATCH

All passwords verified successfully using our SHA-256 implementation!


### Why This Attack Succeeded

The attack succeeded because of several fundamental weaknesses:

**1. Fast Hash Function:** SHA-256 is designed for speed, computing billions of hashes per second on modern hardware. This makes brute force and dictionary attacks feasible.

**2. No Salt:** All instances of the same password produce identical hashes. Rainbow tables exploit this by pre-computing hashes for common passwords once, then reusing them everywhere.

**3. Weak Passwords:** "password", "cheese", and "P@ssw0rd" are extremely common. Even with character substitution (@ for a, 0 for o), "P@ssw0rd" appears in standard password lists.

**4. Single Iteration:** One pass through SHA-256 takes microseconds. Proper password hashing uses thousands of iterations to slow down attackers.

### Recommended Improvements

**Use Password-Specific Hash Functions**

Modern password hashing uses specialized algorithms designed to be computationally expensive:

- **bcrypt**: Adjustable work factor, widely supported
- **Argon2**: Winner of Password Hashing Competition, resistant to GPU attacks
- **PBKDF2**: NIST-approved, configurable iteration count

These algorithms are intentionally slow to make brute force attacks impractical while remaining fast enough for legitimate authentication.

**Add Salting**

A salt is random data unique to each password, appended before hashing:
```
hash(password + salt)
```

**Why salting helps:**
- Different salts produce different hashes even for identical passwords
- Rainbow tables become useless (would need separate tables for each salt)
- Attackers must attack each password individually
- Salts don't need to be secret, just unique

**Use Iteration (Key Stretching)**

Apply the hash function thousands of times:
```
hash = password
for i in 1 to 10000:
    hash = SHA-256(hash)
```

This makes each hash attempt much slower for attackers while only adding a few ms to legitimate authentication.

**Example: Proper Password Storage**
```python
# BAD - What this problem demonstrates
hash = SHA-256(password)

# GOOD - Modern approach (pseudocode)
salt = random_bytes(16)
hash = Argon2(password, salt, iterations=3, memory=64MB)
store(username, salt, hash)
```

**Why SHA-256 Alone Is Inappropriate for Passwords:**

- Too fast (good for data integrity, bad for passwords)
- No built-in salting
- No iteration count
- Same password always produces same hash
- Good for: File checksums, digital signatures, blockchains
- Bad for: Password storage

**Jargon explanation:**
- **Key derivation function (KDF)**: Algorithm that derives cryptographic keys from passwords, designed to be slow
- **Work factor**: Configurable parameter controlling computational cost
- **GPU resistance**: Design features that prevent efficient parallel attacks using graphics cards

### Real-World Impact

The weaknesses demonstrated here have led to massive data breaches. When companies store passwords with unsalted SHA-256, leaked databases can be cracked in hours. Modern password hashing has become a critical security requirement, not an optional enhancement.

See: [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)

## Conclusion

## End