Parity Function
The parity function (Parity(x, y, z)) computes the XOR of all three inputs. In cryptographic terms:

It returns 1 when an odd number of input bits are 1

It returns 0 when an even number of input bits are 1

According to FIPS PUB 180-4 page 15, section 4.1.1(see page 10 of the refrenced document), this function is used in SHA-1 during rounds 20-39 and 60-79.  https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf


Simple Example (using 4 bits):
x = 1100
y = 1010
z = 0110

Position 3: 1⊕1⊕0 = 0 (two 1s = even)
Position 2: 1⊕0⊕1 = 0 (two 1s = even)
Position 1: 0⊕1⊕1 = 0 (two 1s = even)
Position 0: 0⊕0⊕0 = 0 (zero 1s = even)

Result: 0000

Where its used:

SHA-1 uses Parity during rounds 20-39 and 60-79 (FIPS 180-4, Section 4.1.1, page 10).
Key Properties

Order doesn't matter: Parity(x, y, z) = Parity(z, x, y)
Self-canceling: x ⊕ x = 0
Identity with zero: x ⊕ 0 = x

In [None]:
import numpy as np
import hashlib  

In [None]:

def parity(x, y, z):
    """    
    The parity function returns the XOR of all three inputs.
    For each bit position, it returns 1 when an odd number of inputs are 1,
    and 0 when an even number of inputs are 1.
    
    This function is used in SHA-1 during specific rounds of the hash computation.
    
    Parameters:
    x, y, z : int or numpy.uint32
        Three 32-bit integers
        
    Returns:
    numpy.uint32
        The result of x ⊕ y ⊕ z as a 32-bit unsigned integer

Formula: Parity(x, y, z) = x ⊕ y ⊕ z
    
    Parameters:
    x, y, z : int or numpy.uint32
        Three 32-bit integers
        
    Returns:
    numpy.uint32
        The result of x ⊕ y ⊕ z as a 32-bit unsigned integer
        
    Reference:
    FIPS PUB 180-4, Section 4.1.1, page 10
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf


    """
    # Convert inputs to 32-bit unsigned integers
    x_32 = np.uint32(x)
    y_32 = np.uint32(y)
    z_32 = np.uint32(z)
    
     # Perform XOR operation
    result = x_32 ^ y_32 ^ z_32
    
    return result

In [None]:
# Test 1: All zeros
print("\nTest 1: All zeros")
result = parity(0x00000000, 0x00000000, 0x00000000)
print(f"parity(0x00000000, 0x00000000, 0x00000000)")
print(f"Result:   0x{result:08X}")
print(f"Expected: 0x00000000")
print(f" PASS" if result == 0x00000000 else "FAIL")

In [None]:
# Test 2: All ones
print("\nTest 2: All ones")
result = parity(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF)
print(f"parity(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF)")
print(f"Result:   0x{result:08X}")
print(f"Expected: 0xFFFFFFFF")
print(f"PASS" if result == 0xFFFFFFFF else "FAIL")


In [None]:
# Test 3: Identity property verification
print("\nTest 3: Identity (x ⊕ 0 ⊕ 0 = x)")
test_val = 0xABCD1234
result = parity(test_val, 0x00000000, 0x00000000)
print(f"Result: 0x{result:08X}, Expected: 0x{test_val:08X}")
print(f"PASS" if result == test_val else "FAIL")

In [None]:
# Test 4: Mixed values
print("\nTest 4: Mixed realistic values")
result = parity(0x12345678, 0x9ABCDEF0, 0xFEDCBA98)
print(f"Result: 0x{result:08X}")
print("successfull")

2. Ch(x, y, z) - Choice Function

What it does:
Ch stands for "Choose". The first input (x) acts like a selector switch that picks between the other two inputs (y and z).

How it works:

Formula: Ch(x, y, z) = (x ∧ y) ⊕ (¬x ∧ z)

Think of it like this:

When a bit in x is 1 -> choose the bit from y
When a bit in x is 0 -> choose the bit from z

Simple Example (using 4 bits):
x = 1100  (selector)
y = 1010  (choice 1)
z = 0101  (choice 2)

Position 3: x=1 -> pick from y -> 1
Position 2: x=1 -> pick from y -> 0
Position 1: x=0 -> pick from z -> 0
Position 0: x=0 -> pick from z -> 1

Result: 1001.

Where its used:
Used in SHA-1, SHA-256, and all SHA-2 variants during hash computation (FIPS 180-4, Section 4.1.2, Equation 4.2, page 10).https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

Real-World Analogy
Imagine x as a TV remote control:

When button is ON (1) → you see channel y
When button is OFF (0) → you see channel z

In [None]:
def Ch(x, y, z):
    """    
    The Choice function selects bits from y or z based on the corresponding
    bit in x. When a bit in x is 1, the corresponding bit from y is chosen.
    When a bit in x is 0, the corresponding bit from z is chosen.
    
    This function is used in SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, 
    SHA-512/224, and SHA-512/256 hash computations.
    
    Formula: Ch(x, y, z) = (x ∧ y) ⊕ (¬x ∧ z)
    
    Parameters:
    x : int or numpy.uint32
        Selector word (32-bit)
    y : int or numpy.uint32
        First choice word (32-bit)
    z : int or numpy.uint32
        Second choice word (32-bit)
    
    Returns:
    numpy.uint32
        Result of the choice operation as a 32-bit unsigned integer
    
    Reference:
    FIPS PUB 180-4, Section 4.1.2, Equation 4.2, page 15
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    # Convert inputs to 32-bit unsigned integers
    x_32 = np.uint32(x)
    y_32 = np.uint32(y)
    z_32 = np.uint32(z)
    
    # Compute (x AND y) - selects bits from y where x has 1s
    x_and_y = x_32 & y_32
    
    # Compute NOT x - flips all bits in x
    not_x = ~x_32
    
    # Compute (NOT x) AND z - selects bits from z where x has 0s
    not_x_and_z = not_x & z_32
    
    # XOR the two parts together
    result = x_and_y ^ not_x_and_z
    
    return result

In [None]:
# Test 1: All x bits are 1 (should return y)
print("\nTest 1: When x = all 1s, should return y")
result = Ch(0xFFFFFFFF, 0xAAAAAAAA, 0x55555555)
print(f"Ch(0xFFFFFFFF, 0xAAAAAAAA, 0x55555555)")
print(f"Result:   0x{result:08X}")
print(f"Expected: 0xAAAAAAAA (all bits from y)")
print(f"PASS" if result == 0xAAAAAAAA else "FAIL")

In [None]:
# Test 2: All x bits are 0 (should return z)
print("\nTest 2: When x = all 0s, should return z")
result = Ch(0x00000000, 0xAAAAAAAA, 0x55555555)
print(f"Ch(0x00000000, 0xAAAAAAAA, 0x55555555)")
print(f"Result:   0x{result:08X}")
print(f"Expected: 0x55555555 (all bits from z)")
print(f"PASS" if result == 0x55555555 else "FAIL")

In [None]:
# Test 3: Alternating pattern
print("\nTest 3: Alternating x pattern")
result = Ch(0xAAAAAAAA, 0xFFFFFFFF, 0x00000000)
print(f"Ch(0xAAAAAAAA, 0xFFFFFFFF, 0x00000000)")
print(f"Result:   0x{result:08X}")
print(f"Expected: 0xAAAAAAAA (alternating 1s from y, 0s from z)")
print(f"PASS" if result == 0xAAAAAAAA else "FAIL")

In [None]:
# Test 4: Simple 4-bit example from explanation
print("\nTest 4: Verify 4-bit example (x=1100, y=1010, z=0101)")
x = 0b11000000000000000000000000000000
y = 0b10100000000000000000000000000000
z = 0b01010000000000000000000000000000
result = Ch(x, y, z)
expected = 0b10010000000000000000000000000000
print(f"x = {x >> 28:04b}... (showing top 4 bits)")
print(f"y = {y >> 28:04b}...")
print(f"z = {z >> 28:04b}...")
print(f"Result = {result >> 28:04b}... (expected 1001)")
print(f"PASS" if result == expected else "FAIL")

Conclusion

The Ch function implementation correctly follows the FIPS 180-4 specification and has been thoroughly tested. The function demonstrates proper use of NumPy's uint32 type for 32-bit arithmetic and comprehensive testing covering edge cases and typical usage scenarios. This implementation is ready for use as a component in SHA hash algorithm implementations.

References

Primary source: FIPS PUB 180-4 - Secure Hash Standard (SHS), National Institute of Standards and Technology.

Section 4.1.1: SHA-1 Functions (page 15)
Section 4.1.2: SHA-224 and SHA-256 Functions (page 10, Equation 4.2)
Section 4.1.3: SHA-384, SHA-512, SHA-512/224 and SHA-512/256 Functions (page 11, Equation 4.8)

Maj (Majority) Function
Definition
According to FIPS PUB 180-4, Section 4.1.2 (page 15, Equation 4.3), the Majority function is:
Maj(x, y, z) = (x ∧ y) ⊕ (x ∧ z) ⊕ (y ∧ z)
Where:

∧ = bitwise AND
⊕ = bitwise XOR

Purpose:

The Maj function returns 1 at each bit position where at least two of the three inputs are 1. It implements a bitwise "majority vote" the result is 1 when 2 or more inputs are 1.


How it works:
For each bit position, count how many of x, y, z are 1:

0 or 1 ones -> output is 0
2 or 3 ones -> output is 1 (majority wins)

Example:
x = 1100
y = 1010  
z = 0110

Position by position:
Bit 3: 1,1,0 -> two 1s -> result = 1
Bit 2: 1,0,1 -> two 1s -> result = 1
Bit 1: 0,1,1 -> two 1s -> result = 1
Bit 0: 0,0,0 -> zero 1s -> result = 0

Result: 1110.

In [None]:
def Maj(x, y, z):
    """    
    Returns 1 at each bit position where at least two of the three 
    input bits are 1. Implements a bitwise majority vote.
    
    Formula: Maj(x, y, z) = (x ∧ y) ⊕  (x ∧ z) ⊕  (y ∧ z)
    
    Parameters
    x, y, z : int or numpy.uint32
        Three 32-bit words
    
    Returns
    numpy.uint32
        Result where each bit is the majority of the corresponding
        input bits
    
    Reference
    FIPS PUB 180-4, Section 4.1.2, Equation 4.3, page 10 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    # Convert to 32-bit unsigned integers
    x_32 = np.uint32(x)
    y_32 = np.uint32(y)
    z_32 = np.uint32(z)
    
    # Compute the three AND operations
    x_and_y = x_32 & y_32  # 1 where both x and y are 1
    x_and_z = x_32 & z_32  # 1 where both x and z are 1
    y_and_z = y_32 & z_32  # 1 where both y and z are 1
    
    # XOR all three parts result is 1 when 2 or more inputs are 1
    result = x_and_y ^ x_and_z ^ y_and_z
    
    return result

In [None]:
# Test 1: All zeros
print("\nTest 1: All zeros (no majority)")
result = Maj(0x00000000, 0x00000000, 0x00000000)
print(f"Maj(0x00000000, 0x00000000, 0x00000000) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'PASS' if result == 0x00000000 else 'FAIL'}")

In [None]:
# Test 2: All ones
print("\nTest 2: All ones (majority everywhere)")
result = Maj(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF)
print(f"Maj(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF) = 0x{result:08X}")
print(f"Expected: 0xFFFFFFFF | {'PASS' if result == 0xFFFFFFFF else 'FAIL'}")


In [None]:
# Test 3: Two inputs all 1s, one all 0s (majority is 1s)
print("\nTest 3: Two all-1s, one all-0s (majority wins)")
result = Maj(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000)
print(f"Maj(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000) = 0x{result:08X}")
print(f"Expected: 0xFFFFFFFF | {'PASS' if result == 0xFFFFFFFF else 'FAIL'}")

In [None]:
# Test 4: Two inputs all 0s, one all 1s (majority is 0s)
print("\nTest 4: Two all-0s, one all-1s (majority wins)")
result = Maj(0x00000000, 0x00000000, 0xFFFFFFFF)
print(f"Maj(0x00000000, 0x00000000, 0xFFFFFFFF) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'PASS' if result == 0x00000000 else 'FAIL'}")


In [None]:
# Test 5: Verify 4-bit example
print("\nTest 5: 4-bit example (x=1100, y=1010, z=0110 -> 1110)")
x = 0b11000000000000000000000000000000
y = 0b10100000000000000000000000000000
z = 0b01100000000000000000000000000000
result = Maj(x, y, z)
expected = 0b11100000000000000000000000000000
print(f"Top 4 bits: {result >> 28:04b}, Expected: 1110")
print(f"{'PASS' if result == expected else 'FAIL'}")

4. Σ₀²⁵⁶(x) - Sigma0 Function


What it does:

Sigma0 scrambles a 32-bit word by rotating it three different ways and mixing the results. It creates confusion (making patterns hard to trace) in SHA-256.


How it works:

Formula: Σ₀²⁵⁶(x) = ROTR²(x) ⊕ ROTR¹³(x) ⊕ ROTR²²(x)

Step by step:

Rotate x right by 2 positions (bits wrap around)
Rotate x right by 13 positions
Rotate x right by 22 positions
XOR all three results together

What is ROTR?

Rotate Right means bits that fall off the right end wrap back to the left:
Original: 11010000
ROTR 2:   00110100 (last 2 bits wrap to front)

Where It's Used:

Used in SHA-256's round function to transform working variable 'a' (FIPS 180-4, Section 4.1.2, Equation 4.4, page 10).
Why These Numbers? (2, 13, 22)
The numbers 2, 13, and 22 were carefully chosen by cryptographers to:

Spread changes across all 32 bits quickly
Make patterns in the input disappear in the output
Provide strong security against attacks

Real World Analogy
Imagine shuffling a deck of cards three different ways, then mixing them together - the original order becomes very hard to trace back.

In [None]:
def ROTR(n, x):
    """
    Rotate Right - circular right shift operation.
    
    ROTR^n(x) = (x >> n) | (x << (32 - n))
    
    Reference: FIPS PUB 180-4, Section 3.2, page 9
    """
    x_32 = np.uint32(x)
    return (x_32 >> n) | (x_32 << (32 - n))

def Sigma0(x):
    """
    Σ₀256(x) function for SHA-256.
    
    Σ₀256(x) = ROTR²(x) ⊕ ROTR¹³(x) ⊕ ROTR²²(x)
    
    Used in SHA-256 hash computation (Section 6.2.2, Step 3).
    
    Parameters
    x : int or numpy.uint32
        32-bit input word
    
    Returns
    -------
    numpy.uint32
        Result of Sigma0 transformation
    
    Reference
    FIPS PUB 180-4, Section 4.1.2, Equation 4.4, page 10
    https://doi.org/10.6028/NIST.FIPS.180-4
    """
    x_32 = np.uint32(x)
    
    # Three rotations: 2, 13, and 22 positions
    return ROTR(2, x_32) ^ ROTR(13, x_32) ^ ROTR(22, x_32)

In [None]:
# Test 1: With SHA-256 initial hash value H₀
print("\nTest 1: Using SHA-256 initial hash value H₀")
x = 0x6a09e667 
result = Sigma0(x)
print(f"Σ₀256(0x{x:08X}) = 0x{result:08X}")

In [None]:
# Test 2: All zeros
print("\nTest 2: All zeros")
result = Sigma0(0x00000000)
print(f"Σ₀256(0x00000000) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'PASS' if result == 0 else 'FAIL'}")

In [None]:
# Test 3: All ones  
print("\nTest 3: All ones")
result = Sigma0(0xFFFFFFFF)
print(f"Σ₀256(0xFFFFFFFF) = 0x{result:08X}")
print(f"Expected: 0xFFFFFFFF | {'PASS' if result == 0xFFFFFFFF else 'FAIL'}")

In [None]:
# Test 4: Step by step verification
print("\nTest 4: Step by step breakdown")
x = 0x12345678
print(f"Input x = 0x{x:08X}")
r2 = ROTR(2, x)
r13 = ROTR(13, x)
r22 = ROTR(22, x)
print(f"  ROTR²(x)  = 0x{r2:08X}")
print(f"  ROTR¹³(x) = 0x{r13:08X}")  
print(f"  ROTR²²(x) = 0x{r22:08X}")
result = r2 ^ r13 ^ r22
print(f"  Result    = 0x{result:08X}")
sigma_result = Sigma0(x)
print(f"  Sigma0(x) = 0x{sigma_result:08X}")
print(f"{'PASS' if result == sigma_result else 'FAIL'}")


Conclusion

The Sigma0 function has been successfully implemented according to FIPS PUB 180-4 specifications. It combines three right rotations (by 2, 13, and 22 positions) using XOR to provide non-linearity in SHA-256's compression function. All tests pass, confirming the implementation correctly follows the standard. This function, along with the ROTR helper, forms an essential component of the SHA-256 hash algorithm.


5. Σ₁²⁵⁶(x) - Sigma1 Function

What it does:

Sigma1 is like Sigma0's partner - it also scrambles a 32-bit word by rotating it three different ways and XORing them together. While Σ₀ works on variable 'a' in SHA-256, Σ₁ works on variable 'e'.


How it works:
Formula: Σ₁²⁵⁶(x) = ROTR⁶(x) ⊕ ROTR¹¹(x) ⊕ ROTR²⁵(x)
Step-by-step:

Rotate x right by 6 positions (bits wrap around)
Rotate x right by 11 positions
Rotate x right by 25 positions
XOR all three results together

Simple Example (using 8 bits for clarity):
Original x:  10110100
ROTR 6:      01101011 (6 bits wrap)
ROTR 11→3:   10010110 (wraps around in 8-bit)
ROTR 25→1:   01011010 (wraps around in 8-bit)
XOR all:     Result
The actual function uses 32 bits for stronger scrambling.

Where its Used:

Used in SHA-256's round function to calculate T₁, which updates the working variables during each of the 64 rounds (FIPS 180-4, Section 4.1.2, Equation 4.5, page 10).
Why Different from Σ₀?

Σ₀ rotates by: 2, 13, 22
Σ₁ rotates by: 6, 11, 25

Different rotation amounts mean Σ₀ and Σ₁ scramble bits differently, providing stronger security when used together.

Real World Analogy:

If Σ₀ is shuffling a deck by cutting it at positions 2, 13, and 22, then Σ₁ is shuffling by cutting at positions 6, 11, and 25. Using both makes the shuffle much harder to reverse.

In [None]:
def Sigma1(x):
    """
    Σ₁²⁵⁶(x) function for SHA-256.
    
    Σ₁²⁵⁶(x) = ROTR⁶(x) ⊕ ROTR¹¹(x) ⊕ ROTR²⁵(x)
    
    Used in SHA-256 hash computation (Section 6.2.2, Step 3).
    Operates on working variable 'e' to compute T₁.
    
    Parameters
    
    x : int or numpy.uint32
        32-bit input word
    
    Returns
    
    numpy.uint32
        Result of Sigma1 transformation
    
    Reference
    
    FIPS PUB 180-4, Section 4.1.2, Equation 4.5, page 10
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    x_32 = np.uint32(x)
    
    # Three rotations: 6, 11, and 25 positions
    return ROTR(6, x_32) ^ ROTR(11, x_32) ^ ROTR(25, x_32)

In [None]:
# Test 1: All zeros
print("\nTest 1: All zeros")
result = Sigma1(0x00000000)
print(f"Σ₁²⁵⁶(0x00000000) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'PASS' if result == 0 else 'FAIL'}")

In [None]:
# Test 2: All ones
print("\nTest 2: All ones")
result = Sigma1(0xFFFFFFFF)
print(f"Σ₁²⁵⁶(0xFFFFFFFF) = 0x{result:08X}")
print(f"Expected: 0xFFFFFFFF | {'PASS' if result == 0xFFFFFFFF else 'FAIL'}")

In [None]:
# Test 3: Using SHA-256 initial hash value H₄
print("\nTest 3: Using SHA-256 initial hash value H₄")
x = 0x510e527f
result = Sigma1(x)
print(f"Σ₁²⁵⁶(0x{x:08X}) = 0x{result:08X}")

In [None]:
# Test 4: Step-by-step verification
print("\nTest 4: Step-by-step breakdown")
x = 0xABCDEF01
print(f"Input x = 0x{x:08X}")
r6 = ROTR(6, x)
r11 = ROTR(11, x)
r25 = ROTR(25, x)
print(f"  ROTR⁶(x)  = 0x{r6:08X}")
print(f"  ROTR¹¹(x) = 0x{r11:08X}")
print(f"  ROTR²⁵(x) = 0x{r25:08X}")
result = r6 ^ r11 ^ r25
print(f"  Result    = 0x{result:08X}")
sigma_result = Sigma1(x)
print(f"  Sigma1(x) = 0x{sigma_result:08X}")
print(f"{'PASS' if result == sigma_result else 'FAIL'}")

6. σ₀²⁵⁶(x) - sigma0 Function (lowercase)

What It Does:

sigma0 (lowercase) scrambles a 32-bit word using both rotations and shifts. Unlike the uppercase Σ₀ which only rotates, σ₀ uses a regular shift (SHR) that loses bits instead of wrapping them.
How It Works
Formula: σ₀²⁵⁶(x) = ROTR⁷(x) ⊕ ROTR¹⁸(x) ⊕ SHR³(x)

Step-by-step:

Rotate x right by 7 positions (bits wrap around - ROTR)
Rotate x right by 18 positions (bits wrap around - ROTR)
Shift x right by 3 positions (bits are lost - SHR)
XOR all three results together

Whats the Difference: ROTR vs SHR?

ROTR (Rotate Right) : Circular, bits wrap around:
Original: 11010000
ROTR 2:   00110100 (last 2 bits wrap to front)

SHR (Shift Right) : Bits fall off and zeros fill in:
Original: 11010000
SHR 2:    00110100 (last 2 bits are lost, zeros fill left)

Where its Used
Used in SHA-256's message schedule to expand 16 words into 64 words during preprocessing (FIPS 180-4, Section 4.1.2, Equation 4.6, page 10).

In [None]:
def SHR(n, x):
    """
    Shift Right: logical right shift operation.
    
    Shifts the bits of x right by n positions. Bits that fall off 
    the right end are lost. Zeros fill in from the left.
    
    Formula: SHR^n(x) = x >> n
    
    Parameters
    n : int
        Number of positions to shift (0 ≤ n <32)
    x : int or numpy.uint32
        32-bit word to shift
    
    Returns
    
    numpy.uint32
        Result of shifting x right by n positions
    
    Reference
    FIPS PUB 180-4, Section 3.2, page 9 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    x_32 = np.uint32(x)
    
    # Shift right: bits fall off the right, zeros fill from left
    result = x_32 >> n
    
    return result

In [None]:
def sigma0(x):
    """
    σ₀²⁵⁶(x) function for SHA-256 lowercase sigma0.
    
    σ₀²⁵⁶(x) = ROTR⁷(x) ⊕ ROTR¹⁸(x) ⊕ SHR³(x)
    
    Used in SHA-256 message schedule expansion (Section 6.2.2, Step 1).
    
    Parameters
    x : int or numpy.uint32
        32-bit input word
    
    Returns
    numpy.uint32
        Result of sigma0 transformation
    
    Reference
    FIPS PUB 180-4, Section 4.1.2, Equation 4.6, page 10
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    x_32 = np.uint32(x)
    
    # Two rotations and one shift
    return ROTR(7, x_32) ^ ROTR(18, x_32) ^ SHR(3, x_32)

In [None]:
# Test 1: All zeros
print("\nTest 1: All zeros")
result = sigma0(0x00000000)
print(f"σ₀²⁵⁶(0x00000000) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'Y PASS' if result == 0 else 'N FAIL'}")

In [None]:
# Test 2: All ones
print("\nTest 2: All ones")
result = sigma0(0xFFFFFFFF)
print(f"σ₀²⁵⁶(0xFFFFFFFF) = 0x{result:08X}")
# with all 1s, ROTR keeps all 1s SHR loses 3 bits
# result wont be all 1s due to SHR

In [None]:
# Test 3: Simple pattern
print("\nTest 3: Simple pattern (0x80000000)")
x = 0x80000000  # 1 followed by 31 zeros
result = sigma0(x)
print(f"σ₀²⁵⁶(0x{x:08X}) = 0x{result:08X}")

In [None]:
# Test 4: Step-by-step breakdown
print("\nTest 4: Step-by-step verification")
x = 0x12345678
print(f"Input x = 0x{x:08X}")
r7 = ROTR(7, x)
r18 = ROTR(18, x)
s3 = SHR(3, x)
print(f"  ROTR⁷(x)  = 0x{r7:08X}")
print(f"  ROTR¹⁸(x) = 0x{r18:08X}")
print(f"  SHR³(x)   = 0x{s3:08X} (notice: zeros on left)")
result = r7 ^ r18 ^s3
print(f"  Result    = 0x{result:08X}")
sigma_result = sigma0(x)
print(f"  sigma0(x) = 0x{sigma_result:08X}")
print(f"{'PASS' if result == sigma_result else 'FAIL'}")

7. σ₁²⁵⁶(x) - sigma1 Function -lowercase

What It Does
sigma1 (lowercase) is the partner to sigma0. Like sigma0, it uses both rotations and shifts to scramble a 32-bit word. Its used in the same message schedule expansion but with different rotation/shift amounts.

How It Works
Formula: σ₁²⁵⁶(x) = ROTR¹⁷(x) ⊕ ROTR¹⁹(x) ⊕ SHR¹⁰(x)
Step-by-step:

Rotate x right by 17 positions (bits wrap around - ROTR)
Rotate x right by 19 positions (bits wrap around - ROTR)
Shift x right by 10 positions (bits are lost - SHR)
XOR all three results together

Where It's Used
Used in SHA-256's message schedule alongside σ₀ to expand the initial 16 words into 64 words (FIPS 180-4, Section 4.1.2  Equation 4.7 page 10).
According to Section 6.2.2, the message schedule uses:

σ₀ for earlier words in the expansion
σ₁ for later words in the expansion

In [None]:
def sigma1(x):
    """
    σ₁²⁵⁶(x) function for SHA-256 = lowercase sigma1.
    
    σ₁²⁵⁶(x) = ROTR¹⁷(x) ⊕ ROTR¹⁹(x) ⊕ SHR¹⁰(x)
    
    Used in SHA-256 message schedule expansion (Section 6.2.2, Step 1).
    
    Parameters
    x : int or numpy.uint32
        32-bit input word
    
    Returns
    numpy.uint32
        Result of sigma1 transformation
    
    Reference
    FIPS PUB 180-4, Section 4.1.2, Equation 4.7, page 10
  https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    x_32 = np.uint32(x)
    
    # Two rotations and one shift
    return ROTR(17, x_32) ^ ROTR(19, x_32) ^ SHR(10, x_32)

In [None]:
# Test 1: All zeros
print("\nTest 1: All zeros")
result = sigma1(0x00000000)
print(f"σ₁²⁵⁶(0x00000000) = 0x{result:08X}")
print(f"Expected: 0x00000000 | {'PASS' if result == 0 else 'FAIL'}")

In [None]:
# Test 2: All ones
print("\nTest 2: All ones")
result = sigma1(0xFFFFFFFF)
print(f"σ₁²⁵⁶(0xFFFFFFFF) = 0x{result:08X}")
# With all 1s, ROTR keeps all 1s, SHR loses 10 bits
print("(Result differs from input due to SHR losing bits)")

In [None]:
# Test 3: Simple pattern
print("\nTest 3: Pattern (0xAAAAAAAA)")
x = 0xAAAAAAAA  # Alternating bits
result = sigma1(x)
print(f"σ₁²⁵⁶(0x{x:08X}) = 0x{result:08X}")

In [None]:
# Test 4: Step-by-step breakdown
print("\nTest 4: Step-by-step verification")
x = 0x9ABCDEF0
print(f"Input x = 0x{x:08X}")
r17 = ROTR(17, x)
r19 = ROTR(19, x)
s10 = SHR(10, x)
print(f"  ROTR¹⁷(x) = 0x{r17:08X}")
print(f"  ROTR¹⁹(x) = 0x{r19:08X}")
print(f"  SHR¹⁰(x)  = 0x{s10:08X} (10 zeros on left)")
result = r17 ^ r19 ^ s10
print(f"  Result    = 0x{result:08X}")
sigma_result = sigma1(x)
print(f"  sigma1(x) = 0x{sigma_result:08X}")
print(f"{'PASS' if result == sigma_result else 'FAIL'}")

Problem 2:

SHA-256 uses 64 constant values in its hash computation. These are not arbitrary, they come from the fractional parts of cube roots of the first 64 prime numbers. 

This ensures the constants have no hidden structure that could weaken the algorithm.

Reference
FIPS PUB 180-4, Section 4.2.2 (page 11): SHA-224 and SHA-256 Constants. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

"These words represent the first thirty-two bits of the fractional parts of the cube roots of the first sixty-four prime numbers"

In [None]:
def primes(n):
    """
    Generate the first n prime numbers.
    
    Uses a simple trial division algorithm to find primes.
    
    Parameters
    n : int
        Number of prime numbers to generate
    
    Returns
    list
        List of the first n prime numbers.
    
    Example:
    >>> primes(10)
    [2, 3, 5, 7, 11, 13, 17, 19, 23, 29]
    """
    if n <= 0:
        return []
    
    prime_list = []
    candidate = 2  # first prime number.
    
    while len(prime_list) < n:
        is_prime = True
        
        # Check if candidate is divisible by any existing prime.
        for p in prime_list:
            # only need to check up to sqrt(candidate).
            if p * p > candidate:
                break
            if candidate % p == 0:
                is_prime = False
                break
        
        # If no divisors found, its prime
        if is_prime:
            prime_list.append(candidate)
        
        candidate += 1
    
    return prime_list

In [None]:
# Test 1: First 10 primes
print("\nTest 1: First 10 prime numbers")
first_10 = primes(10)
expected = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29]
print(f"Result:   {first_10}")
print(f"Expected: {expected}")
print(f"{'PASS' if first_10 == expected else 'FAIL'}")

In [None]:
# Test 2: First 64 primes (we need these for SHA-256)
print("\nTest 2: First 64 primes")
first_64 = primes(64)
print(f"First prime: {first_64[0]}")
print(f"64th prime: {first_64[63]}")
print(f"Expected 64th prime: 311")
print(f"{'PASS' if first_64[63] == 311 else 'FAIL'}")

In [None]:
# Display first 16 for verification
print(f"\nFirst 16 primes: {first_64[:16]}")

In [None]:
def cube_roots_of_primes(n):
    """
    Calculate the cube roots of the first n prime numbers.
    
    Parameters
    n : int
        Number of primes to process
    
    Returns
    numpy.ndarray
        Array of cube roots as floating-point numbers
    
    Example:
    cube_roots_of_primes(3)
    array([1.25992105, 1.44224957, 1.70997595])
    """
    # Get first n primes
    prime_list = primes(n)
    
    # Calculate cube root of each prime
    # cube root of x = x^(1/3)
    cube_roots = np.array([p ** (1/3) for p in prime_list])
    
    return cube_roots

In [None]:
# Calculate cube roots of first 64 primes
cube_roots = cube_roots_of_primes(64)

print(f"\nFirst 5 cube roots:")
for i in range(5):
    prime = primes(64)[i]
    cbrt = cube_roots[i]
    print(f"  {prime:3d} = {cbrt:.10f}")

In [None]:
def fractional_part_to_hex(cube_root):
    """
    Extract the first 32 bits of the fractional part of a number.
    
    The fractional part is the decimal portion after the decimal point.
    We multiply by 2^32 to shift the first 32 bits into the integer part,
    then take only the integer portion.
    
    Parameters
    cube_root : float
        A floating-point number (e.g., cube root of a prime)
    
    Returns
    numpy.uint32
        First 32 bits of the fractional part as an unsigned 32-bit integer
    
    Example
    fractional_part_to_hex(1.25992105)  
    # Cube root of 2
    numpy.uint32(1116352408)  # 0x428a2f98 in hex
    """
    # Get the fractional part (remove integer part)
    fractional = cube_root - np.floor(cube_root)
    
    # Multiply by 2^32 to shift 32 bits of fraction into integer range
    # Then take only the integer part
    bits_32 = np.uint32(fractional * (2 ** 32))
    
    return bits_32

In [None]:
print("\nGenerating constants from cube roots of first 64 primes:")
print()

# Get first 64 primes
prime_list = primes(64)

# Calculate constants
constants = []

for i in range(64):
    prime = prime_list[i]
    cube_root = prime ** (1/3)
    constant = fractional_part_to_hex(cube_root)
    constants.append(constant)
    
    # Print in a same format like in FIPS document.
    if i % 8 == 0:
        print()
    print(f"{constant:08x}", end=" ")

print("\n")

In [None]:
# constants from FIPS PUB 180-4, Section 4.2.2, page 11
FIPS_CONSTANTS = [
    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
]

print("Verification against FIPS 180-4")

# Compare the generated constants with FIPS constants.
all_match = True
mismatches = []

for i in range(64):
    if constants[i] != FIPS_CONSTANTS[i]:
        all_match = False
        mismatches.append(i)
        print(f" K[{i:2d}]: Generated 0x{constants[i]:08x}, Expected 0x{FIPS_CONSTANTS[i]:08x}")

if all_match:
    print("\nAll 64 Constants Match FIPS 180-4")
    print(f"\nSuccessfully generated all SHA-256 K constants")
else:
    print(f"\n{len(mismatches)} mismatches found at indices: {mismatches}")

Problem 2: Conclusion

Problem 2 demonstrates the derivation of SHA-256s 64 round constants from mathematical foundations, specifically the fractional parts of cube roots of the first 64 prime numbers.

This approach validates the cryptographic principle of "nothing up my sleeve" the constants are derived from well known mathematical sequences rather than arbitrary values that could hide backdoors.

Mathematical Process


The generation process involves:

Generating the first 64 prime numbers: [2, 3, 5, 7, ... 311]
Computing the cube root of each prime
Extracting the fractional part (portion after the decimal point).
Converting the first 32 bits of the fractional part to hexadecimal.

Verification Results


All 64 generated constants match precisely with those specified in FIPS PUB 180-4, Section 4.2.2. This verification confirms both the correctness of our implementation and the reproducibility of the SHA-256 standard. The deterministic nature of this generation process provides transparency and builds trust in the algorithm's design.

Cryptographic Significance:
Using cube roots of primes serves multiple purposes.

Transparency: Anyone can verify the constants independently.

No hidden structure: Mathematical constants appear random, preventing exploitation.

Historical precedent: Similar to SHA256s initial hash values (from square roots of primes).

Standardization: Ensures all implementations use identical constants

This problem bridges theoretical mathematics and practical cryptography, showing how number theory contributes to secure hash algorithm design.



Problem 3: Padding

Overview
In SHA-256, messages must be padded to a length that is a multiple of 512 bits before hashing. The padding scheme ensures that:

Every message has a unique padded form. 
The original message length is preserved. 
Messages are properly aligned for block processing

Reference
FIPS PUB 180-4, Section 5.1.1 (page 13): Padding the Message for SHA-256

"Suppose that the length of the message, M, is ℓ bits. Append the bit "1" to the end of the message, followed by k zero bits, where k is the smallest, non-negative solution to the equation ℓ + 1 + k ≡ 448 mod 512. Then append the 64-bit block that is equal to the number ℓ expressed using a binary representation."

FIPS PUB 180-4, Section 5.2.1 (page 14): Parsing the Message. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

"For SHA-1, SHA-224 and SHA-256, the message and its padding are parsed into N 512-bit blocks, M⁽¹⁾, M⁽²⁾,..., M⁽ᴺ⁾."

In [None]:
#Function to Calculate Padding

def calculate_padding_length(message_length_bits):
    """
    Calculate how many zero bits to add for SHA-256 padding.
    
    Formula: ℓ + 1 + k ≡ 448 (mod 512)
    Solving for k: k = (448 - ℓ - 1) mod 512
    
    Parameters:
    message_length_bits : int
        Length of the message in bits
    
    Returns
    int
        Number of zero bits to add
    
    Reference
    FIPS PUB 180-4, Section 5.1.1, page 13 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    """
    # need: (message_length + 1 + k) mod 512 = 448
    # Solving: k = (448 - message_length - 1) mod 512
    k = (448 - message_length_bits - 1) % 512
    
    return k

In [None]:
#Main Generator Function

def block_parse(msg):
    """
    Generator function that processes a message according to SHA 256 padding
    and yields 512-bit blocks as bytes objects.
    
    This implements the padding scheme from FIPS 180-4 Section 5.1.1 and
    parsing from Section 5.2.1. The message is padded with:
    1. A single '1' bit
    2. k zero bits (where k makes the length ≡ 448 mod 512)
    3. A 64-bit representation of the original message length
    
    Parameters
    msg : bytes
        The message to be padded and parsed as a bytes object
    
    Yields
    bytes
        Each 512-bit (64-byte) block as a bytes object
    
    Reference
    FIPS PUB 180-4, Sections 5.1.1 and 5.2.1, pages 13-14
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    
    """
    # Get message length in bits
    message_length_bits = len(msg) * 8
    
    # Calculate how many zero bits needed for padding
    k = calculate_padding_length(message_length_bits)
    
    # Start building the padded message
    # 1: Original message
    padded = bytearray(msg)
    
    # 2: Append the '1' bit (0x80 = 10000000 in binary)
    padded.append(0x80)
    
    # 3: Append k zero bits
    # k must be converted to bytes
    # k is in bits, so k // 8 gives number of zero bytes
    num_zero_bytes = k // 8
    padded.extend(b'\x00' * num_zero_bytes)
    
    # 4: Append 64-bit (8-byte) representation of message length
    # Convert message length to 64 bit big endian integer
    length_bytes = message_length_bits.to_bytes(8, byteorder='big')
    padded.extend(length_bytes)
    
    # 5: Parse into 512-bit (64 byte) blocks and yield each
    # Total length should now be a multiple of 512 bits (64 bytes)
    num_blocks = len(padded) // 64
    
    for i in range(num_blocks):
        # Extract 64 byte block
        start = i * 64
        end = start + 64
        block = bytes(padded[start:end])
        
        yield block

In [None]:
# Test 1: Empty message (edge case)
print("\nTest 1: Empty message")
msg1 = b''
blocks1 = list(block_parse(msg1))
print(f"Message length: {len(msg1)} bytes")
print(f"Number of blocks: {len(blocks1)}")
print(f"PASS" if len(blocks1) == 1 and len(blocks1[0]) == 64 else "FAIL")

In [None]:
# Test 2: "abc"  standard FIPS test case
print("\nTest 2: Message 'abc' (standard test)")
msg2 = b'abc'
blocks2 = list(block_parse(msg2))
print(f"Message: {msg2}")
print(f"Message length: {len(msg2)} bytes ({len(msg2) * 8} bits)")
print(f"Number of blocks: {len(blocks2)}")
print(f"PASS" if len(blocks2) == 1 else "FAIL")

In [None]:
# Verify against hashlib
expected_hash = hashlib.sha256(msg2).hexdigest()
print(f"Expected SHA-256: {expected_hash}")

In [None]:
# Test 3: 55 byte message
print("\nTest 3: 55-byte message (boundary case)")
msg3 = b'a' * 55
blocks3 = list(block_parse(msg3))
print(f"Message length: {len(msg3)} bytes")
print(f"Number of blocks: {len(blocks3)}")
print(f"PASS" if len(blocks3) == 1 else "FAIL")

In [None]:
# Test 4: 56-byte message
print("\nTest 4: 56-byte message (requires 2 blocks)")
msg4 = b'a' * 56
blocks4 = list(block_parse(msg4))
print(f"Message length: {len(msg4)} bytes")
print(f"Number of blocks: {len(blocks4)}")
print(f"PASS" if len(blocks4) == 2 else "FAIL")