# Computational Theory Assessment

In [1]:
# Imports
import numpy as np
import hashlib

## Problem 1: Binary Words and Operations

### Problem Description

Implement the following functions in Python. Use **numpy** to ensure that all variables and values are treated as **32-bit integers**. These functions are defined in the Secure Hash Standard ([FIPS 180-4, pages 10-11](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)), which provides the official NIST specification for SHA-256 hash computation.

### Required Functions:

| Function | Standard Notation | Description |
|:---------|:------------------|:------------|
| `Parity(x, y, z)` | - | XOR-based parity function |
| `Ch(x, y, z)` | - | Choose function |
| `Maj(x, y, z)` | - | Majority function |
| `Sigma0(x)` | Σ₀²⁵⁶(x) | Upper-case Sigma 0 (rotations: 2, 13, 22) |
| `Sigma1(x)` | Σ₁²⁵⁶(x) | Upper-case Sigma 1 (rotations: 6, 11, 25) |
| `sigma0(x)` | σ₀²⁵⁶(x) | Lower-case sigma 0 (rotations: 7, 18; shift: 3) |
| `sigma1(x)` | σ₁²⁵⁶(x) | Lower-case sigma 1 (rotations: 17, 19; shift: 10) |

**Document each function** with a clear docstring, **explain its purpose and behaviour** in Markdown, and **test it with appropriate examples** to verify correctness.

--- 

### My Understanding

For this problem, I need to re-create some of the core building blocks used inside the **SHA-256 hashing algorithm**. The **SHA-256** algorithm is a **cryptographic hash function** that turns a given input into a series of hexadecimal values **(fixed 256-bit hash)**. Hashes, unlike encryptions, are long and **cannot be reversed**. One input will always output the same hash code, making hashing extremely useful for something like storing and validating passwords. These blocks are small functions that work on **32-bit binary words**, and they mostly use **bitwise logic** like `XOR`, `AND`, `OR`, **rotations**, and **shifts**.

*Each function has a specific job in the hash process:*

- `Parity`, `Ch`, and `Maj` take **three 32-bit** values and **combine** them using logic rules **(XOR, choose-between, or majority vote)**.

- `Sigma0` and `Sigma1` (uppercase) rotate the bits of a number by certain fixed amounts and `XOR` the results together.

- `sigma0` and `sigma1` (lowercase) also use rotations, but each one includes a right-shift as well.

All the operations have to be done using **32-bit integers**, so I need to use **NumPy** to make sure the values wrap around properly. Once I write each function, I should document what it does and test it with example values to confirm that the outputs match what the standard expects.

--- 

### Theory / Background

**SHA-256** is a **cryptographic hash function** from the [Secure Hash Standard (FIPS 180-4)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf), which provides the official specification for how the algorithm operates. Its job is to take any input and turn it into a **fixed 256-bit hash value**. This value is **one-way**, meaning you can't reverse it to get the original message. It's also **deterministic**, so the same input always gives the same output, and it's designed to **avoid collisions**, where two different inputs produce the same hash.

**SHA-256** was developed by the [National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines) and released in **2001** as part of the **Secure Hash Standard (FIPS PUB 180-2)**. It was introduced to replace older hash functions like [SHA-1, which is now deprecated due to collision vulnerabilities](https://en.wikipedia.org/wiki/SHA-2), and to provide a stronger, modern hashing method for security, digital signatures, and data integrity.

The algorithm works by splitting the message into **512-bit blocks** and running them through a series of **bitwise operations** like `XOR`, `AND`, **rotations**, and **shifts**. Understanding [bitwise operators in Python](https://realpython.com/python-bitwise-operators/) is essential for implementing these operations correctly. Functions such as `Ch`, `Maj`, and the `Sigma` functions help mix the bits so that even a **1-bit change in the input** causes a **completely different output**. This is called the **avalanche effect**, and it's a critical security property that prevents attackers from predicting how small changes affect the hash.

For a visual walkthrough of how SHA-256 works internally, [this Computerphile video](https://www.youtube.com/watch?v=DMtFhACPnTY) provides an excellent explanation of how these building blocks fit into the compression function.

### The Building Blocks

The seven functions I'm implementing in this problem are the fundamental **bitwise mixing operations** that SHA-256 uses internally. Additional context on [bitwise operations](https://www.geeksforgeeks.org/python-bitwise-operators/) helps understand their behavior:

**1. Logical Functions (Parity, Ch, Maj):**
These operate on three 32-bit words and produce one 32-bit output. They're used in different rounds of the compression function:
- **Parity**: Simple XOR of all three inputs - produces 1 when an odd number of bits are 1
- **Ch (Choose)**: Uses the first input as a selector to choose between the second and third inputs
- **Maj (Majority)**: Returns the majority value for each bit position across the three inputs

**2. Rotation Functions (Sigma0, Sigma1, sigma0, sigma1):**
These perform **circular rotations** - bits shifted off one end wrap around to the other end. The uppercase Sigma functions use only rotations, while the lowercase sigma functions combine rotations with right shifts. These functions help spread the influence of each input bit across the entire output, creating strong **bit diffusion**.

### Why 32-bit Operations?

**SHA-256** operates exclusively on **32-bit words** because:
- It provides a balance between security and performance
- 32-bit operations are efficient on most modern processors
- The 256-bit output is constructed from eight 32-bit words
- All intermediate calculations stay within 32-bit boundaries, making overflow behavior predictable

Using **NumPy's [np.uint32 type](https://numpy.org/doc/stable/reference/arrays.scalars.html#numpy.uint32)** ensures that all operations wrap around correctly at 32 bits, matching the exact behavior specified in the **FIPS 180-4** standard. This is crucial because Python's default integer type uses arbitrary-precision arithmetic and doesn't automatically wrap.

**SHA-256** is widely used for **checking data integrity**, **digital signatures**, **blockchain technology** (like Bitcoin mining), and **general security tasks**.

---

### Approach

My strategy for implementing these functions follows a consistent pattern for each one, ensuring they match the **SHA-256** specification exactly:

### General Implementation Strategy

**1. Type Conversion First:**
For every function, I start by converting all inputs to [`np.uint32`](https://numpy.org/doc/stable/reference/arrays.scalars.html#numpy.uint32). This is critical because Python integers can be arbitrarily large, but SHA-256 requires strict 32-bit behavior. Without this conversion, operations like rotation and negation won't work correctly.

**2. Follow the Standard's Formulas:**
Each function implements the exact bitwise formula specified in [**FIPS 180-4**](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf). I didn't try to optimize or simplify these - I wrote them exactly as defined because the security properties depend on these specific combinations of operations.

**3. Ensure 32-bit Output:**
After computing the result, I convert it back to `np.uint32` to guarantee the output is also a proper 32-bit value. This prevents any unexpected type conversions or overflow issues.

### Function-Specific Approaches

**Parity Function:**
I implemented this using three XOR operations: `x ^ y ^ z`. The XOR operation naturally produces parity - it outputs 1 when an odd number of inputs are 1. This is a direct translation of the standard's definition and keeps the implementation simple and clear.

**Choose Function (Ch):**
The formula `(x & y) ^ (~x & z)` might look complex, but it elegantly implements bit-selection logic. Where `x` has a 1-bit, the result takes the corresponding bit from `y`. Where `x` has a 0-bit (meaning `~x` has a 1-bit), the result takes the bit from `z`. This "choosing" behavior is why it's called the Choose function.

**Majority Function (Maj):**
The expression `(x & y) ^ (x & z) ^ (y & z)` implements majority voting at the bit level. Each bit in the output is 1 if at least two of the corresponding input bits are 1. This works because the XOR of the three AND operations mathematically computes the majority value.

**Rotation Functions (Sigma0, Sigma1, sigma0, sigma1):**
For rotations, I use the pattern `(x >> n) | (x << (32-n))` ([common Python rotation implementation](https://stackoverflow.com/questions/5832982/how-to-get-the-logical-right-binary-rotation-in-python)):
- The right shift `>>` moves bits to the right by `n` positions
- The left shift `<<` moves bits to the left by `32-n` positions
- The OR operation `|` combines them, creating the circular wrap-around effect

The uppercase Sigma functions XOR three different rotations together. The lowercase sigma functions combine two rotations with a right shift (which doesn't wrap around - bits shifted off the end are lost).

---

### Discussion / Interpretation

### Test Results

All seven functions passed their comprehensive test suites, confirming that the implementations correctly follow the **FIPS 180-4** specification. The test cases covered:

- **Edge cases**: All zeros and all ones inputs
- **Specific patterns**: Single bits, alternating patterns, known values
- **Bit-level verification**: Binary representations to confirm exact bitwise behavior
- **Consistency checks**: Operations with actual SHA constants

### Key Observations

**1. Importance of Type Conversion:**
During initial implementation, I discovered that failing to convert inputs to `np.uint32` caused incorrect behavior, especially with the negation operator `~` in the Choose function. Python's arbitrary-precision integers don't naturally wrap at 32 bits, so explicit type handling is essential.

**2. Rotation vs. Shift Distinction:**
The difference between rotations (where bits wrap around) and shifts (where bits are lost) is critical for the sigma functions. The lowercase sigma functions combine both operations, creating different diffusion patterns than the uppercase Sigma functions.

**3. Bitwise Logic:**
The Choose and Majority functions demonstrate how bitwise operations can be for implementing conditional logic without branches. The Choose function essentially implements a 32-way multiplexer, and Majority implements 32 simultaneous majority votes.

### Implementation Challenges

The main challenge was ensuring that all operations stayed within 32-bit boundaries. Initially, some test cases failed because:
- Python's default integer type doesn't automatically wrap at 32 bits
- The negation operator behaves differently on unlimited-precision integers
- Rotation amounts must account for the full 32-bit word size

Converting all inputs to `np.uint32` at the start of each function and converting the result at the end solved these issues consistently.

### Why These Functions Matter

These building blocks appear throughout SHA-256's 64 rounds of processing. The Choose and Majority functions provide **nonlinearity** - they create complex relationships between bits that prevent attackers from predicting how changes propagate. The rotation functions provide **diffusion** - they spread the influence of each input bit across many output bits.

Together, these functions create the **avalanche effect** that makes SHA-256 secure: changing even one bit in the input cascades through these operations to produce a completely different hash output.

---

In [2]:
def Parity(x, y, z):
    """
    SHA-1 Parity function: x ^ y ^ z.
    
    Computes the bitwise XOR of three 32-bit words.
    This function is used in SHA-1 and returns 1 for each bit position
    where an odd number of the corresponding bits in x, y, z are 1.
    
    Args:
        x: 32-bit unsigned integer
        y: 32-bit unsigned integer
        z: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of x XOR y XOR z
    """
    # Convert x to 32-bit unsigned integer to ensure proper overflow behavior
    x = np.uint32(x)
    # Convert y to 32-bit unsigned integer
    y = np.uint32(y)
    # Convert z to 32-bit unsigned integer
    z = np.uint32(z)

    # Compute XOR of all three values: produces 1 where odd number of bits are 1
    result = x ^ y ^ z

    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [3]:
def test_parity():
    """Test the Parity function with essential test cases."""
    
    # Test 1: All zeros - verifies minimum boundary
    assert Parity(0x00000000, 0x00000000, 0x00000000) == 0x00000000
    
    # Test 2: All ones - verifies maximum boundary (odd parity: 1^1^1=1)
    assert Parity(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF) == 0xFFFFFFFF
    
    # Test 3: Mixed pattern - verifies XOR logic
    # 0x05 (0101) ^ 0x03 (0011) ^ 0x01 (0001) = 0x07 (0111)
    assert Parity(0x00000005, 0x00000003, 0x00000001) == 0x00000007
    
    print("All Parity tests passed")

test_parity()

All Parity tests passed


In [4]:
def Ch(x, y, z):
    """
    SHA-1 Ch (Choose) function: (x & y) ^ (~x & z).
    
    The Ch function "chooses" between y and z based on the bits of x:
    - If a bit in x is 1, the corresponding bit from y is chosen
    - If a bit in x is 0, the corresponding bit from z is chosen
    
    Args:
        x: 32-bit unsigned integer (selector)
        y: 32-bit unsigned integer (chosen when x bit is 1)
        z: 32-bit unsigned integer (chosen when x bit is 0)
    
    Returns:
        32-bit unsigned integer result of (x & y) ^ (~x & z)
    """
    # Convert x to 32-bit unsigned integer for proper bitwise operations
    x = np.uint32(x)
    # Convert y to 32-bit unsigned integer
    y = np.uint32(y)
    # Convert z to 32-bit unsigned integer
    z = np.uint32(z)
    
    # Compute (x AND y): keeps bits from y where x is 1
    # XOR with (NOT x AND z): adds bits from z where x is 0
    # This effectively "chooses" y where x=1, z where x=0
    result = (x & y) ^ (~x & z)
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [5]:
def test_ch():
    """Test the Ch (Choose) function with essential test cases."""
    
    # Test 1: x all ones - should select all bits from y
    assert Ch(0xFFFFFFFF, 0x12345678, 0xABCDEF00) == 0x12345678
    
    # Test 2: x all zeros - should select all bits from z
    assert Ch(0x00000000, 0x12345678, 0xABCDEF00) == 0xABCDEF00
    
    # Test 3: Mixed selector - verifies bit-by-bit selection
    # Ch(1100, 1010, 0101): bits 3,2 from y (1,0), bits 1,0 from z (0,1) = 1001
    assert Ch(0b1100, 0b1010, 0b0101) == 0b1001
    
    print("All Ch tests passed")

test_ch()

All Ch tests passed


In [6]:
def Maj(x, y, z):
    """
    SHA-1 Maj (Majority) function: (x & y) ^ (x & z) ^ (y & z).
    
    The Maj function returns the majority vote for each bit position:
    - Returns 1 if at least 2 of the 3 corresponding bits are 1
    - Returns 0 if at least 2 of the 3 corresponding bits are 0
    
    Args:
        x: 32-bit unsigned integer
        y: 32-bit unsigned integer
        z: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of (x & y) ^ (x & z) ^ (y & z)
    """
    # Convert x to 32-bit unsigned integer
    x = np.uint32(x)
    # Convert y to 32-bit unsigned integer
    y = np.uint32(y)
    # Convert z to 32-bit unsigned integer
    z = np.uint32(z)
    
    # Compute (x AND y): 1 where both x and y are 1
    # XOR with (x AND z): 1 where both x and z are 1
    # XOR with (y AND z): 1 where both y and z are 1
    # Result: 1 if at least 2 of the 3 inputs are 1 (majority)
    result = (x & y) ^ (x & z) ^ (y & z)
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [7]:
def test_Maj():
    """Test the Maj (Majority) function with essential test cases."""
    
    # Test 1: All zeros - unanimous vote returns 0
    assert Maj(0x00000000, 0x00000000, 0x00000000) == 0x00000000
    
    # Test 2: All ones - unanimous vote returns 1
    assert Maj(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF) == 0xFFFFFFFF
    
    # Test 3: Mixed pattern - verifies majority voting
    # Maj(1100, 1010, 1001): bit 3 has three 1s → 1, others have ≤1 ones → 0
    assert Maj(0b1100, 0b1010, 0b1001) == 0b1000

    print("All Maj tests passed")

test_Maj()

All Maj tests passed


In [8]:
def Sigma0(x):
    """
    SHA-256 Sigma0 (Σ₀²⁵⁶) function: ROTR²(x) ^ ROTR¹³(x) ^ ROTR²²(x)
    
    This function performs three right rotations on a 32-bit word and XORs them.
    Used in the compression function of SHA-256.
    
    ROTR^n(x) = circular right rotation of x by n positions
    
    Args:
        x: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of ROTR²(x) ^ ROTR¹³(x) ^ ROTR²²(x)
    """
    # Convert to 32-bit unsigned integer
    x = np.uint32(x)
    
    # Right rotate by 2 bits: shift right 2, wrap left 30
    rotr2 = np.uint32((x >> 2) | (x << 30))   # ROTR²(x)
    
    # Right rotate by 13 bits: shift right 13, wrap left 19
    rotr13 = np.uint32((x >> 13) | (x << 19)) # ROTR¹³(x)
    
    # Right rotate by 22 bits: shift right 22, wrap left 10
    rotr22 = np.uint32((x >> 22) | (x << 10)) # ROTR²²(x)
    
    # XOR all three rotations to create bit diffusion
    result = rotr2 ^ rotr13 ^ rotr22
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [9]:
def test_Sigma0():
    """Test the Sigma0 function with essential test cases."""
    
    # Test 1: All zeros - rotations of zero produce zero
    assert Sigma0(0x00000000) == 0x00000000
    
    # Test 2: All ones - rotations preserve all 1s, XOR of three gives all 1s
    assert Sigma0(0xFFFFFFFF) == 0xFFFFFFFF
    
    # Test 3: Single bit - verifies rotation positions
    # Bit 0 rotates to positions 30, 19, and 10
    x = 0x00000001
    expected = np.uint32((x >> 2) | (x << 30)) ^ \
               np.uint32((x >> 13) | (x << 19)) ^ \
               np.uint32((x >> 22) | (x << 10))  # = 0x40080400
    assert Sigma0(x) == expected
    
    print("All Sigma0 tests passed")

test_Sigma0()

All Sigma0 tests passed


In [10]:
def Sigma1(x):
    """
    SHA-256 Sigma1 (Σ₁²⁵⁶) function: ROTR⁶(x) ^ ROTR¹¹(x) ^ ROTR²⁵(x)
    
    This function performs three right rotations on a 32-bit word and XORs them.
    Used in the compression function of SHA-256.
    
    ROTR^n(x) = circular right rotation of x by n positions
    
    Args:
        x: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of ROTR⁶(x) ^ ROTR¹¹(x) ^ ROTR²⁵(x)
    """
    # Convert to 32-bit unsigned integer
    x = np.uint32(x)
    
    # Right rotate by 6 bits: shift right 6, wrap left 26
    rotr6 = np.uint32((x >> 6) | (x << 26))   # ROTR⁶(x)
    
    # Right rotate by 11 bits: shift right 11, wrap left 21
    rotr11 = np.uint32((x >> 11) | (x << 21)) # ROTR¹¹(x)
    
    # Right rotate by 25 bits: shift right 25, wrap left 7
    rotr25 = np.uint32((x >> 25) | (x << 7))  # ROTR²⁵(x)
    
    # XOR all three rotations to create bit diffusion
    result = rotr6 ^ rotr11 ^ rotr25
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [11]:
def test_Sigma1():
    """Test the Sigma1 function with essential test cases."""
    
    # Test 1: All zeros - rotations of zero produce zero
    assert Sigma1(0x00000000) == 0x00000000
    
    # Test 2: All ones - rotations preserve all 1s, XOR of three gives all 1s
    assert Sigma1(0xFFFFFFFF) == 0xFFFFFFFF
    
    # Test 3: Single bit - verifies rotation positions
    # Bit 0 rotates to positions 26, 21, and 7
    x = 0x00000001
    expected = np.uint32((x >> 6) | (x << 26)) ^ \
               np.uint32((x >> 11) | (x << 21)) ^ \
               np.uint32((x >> 25) | (x << 7))  # = 0x04200080
    assert Sigma1(x) == expected
    
    print("All Sigma1 tests passed")

test_Sigma1()

All Sigma1 tests passed


In [12]:
def sigma0(x):
    """
    SHA-256 sigma0 (σ₀²⁵⁶) function: ROTR⁷(x) ^ ROTR¹⁸(x) ^ SHR³(x)
    
    This function performs two right rotations and one right shift on a 32-bit word and XORs them.
    Used in the message schedule of SHA-256.
    
    ROTR^n(x) = circular right rotation of x by n positions (bits wrap around)
    SHR^n(x) = right shift of x by n positions (bits are lost, zeros fill in)
    
    Args:
        x: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of ROTR⁷(x) ^ ROTR¹⁸(x) ^ SHR³(x)
    """
    # Convert to 32-bit unsigned integer
    x = np.uint32(x)
    
    # Right rotate by 7 bits: shift right 7, wrap left 25
    rotr7 = np.uint32((x >> 7) | (x << 25))   # ROTR⁷(x)
    
    # Right rotate by 18 bits: shift right 18, wrap left 14
    rotr18 = np.uint32((x >> 18) | (x << 14)) # ROTR¹⁸(x)
    
    # Right shift by 3 bits: shift right 3, NO wrap (fills with zeros)
    shr3 = np.uint32(x >> 3)                  # SHR³(x)
    
    # XOR two rotations and one shift: combines reversible and irreversible operations
    result = rotr7 ^ rotr18 ^ shr3
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [13]:
def test_sigma0():
    """Test the sigma0 function with essential test cases."""
    
    # Test 1: All zeros - rotations and shifts of zero produce zero
    assert sigma0(0x00000000) == 0x00000000
    
    # Test 2: All ones - shift loses top 3 bits
    # ROTR⁷(all 1s) ^ ROTR¹⁸(all 1s) ^ SHR³(all 1s) = 0xFFFFFFFF ^ 0xFFFFFFFF ^ 0x1FFFFFFF
    assert sigma0(0xFFFFFFFF) == 0x1FFFFFFF
    
    # Test 3: Single bit - demonstrates rotation (wraps) vs shift (loses bits)
    # Bit 0: ROTR⁷→pos 25, ROTR¹⁸→pos 14, SHR³→lost
    x = 0x00000001
    expected = np.uint32((x >> 7) | (x << 25)) ^ \
               np.uint32((x >> 18) | (x << 14)) ^ \
               np.uint32(x >> 3)  # = 0x02004000
    assert sigma0(x) == expected
    
    print("All sigma0 tests passed")

test_sigma0()

All sigma0 tests passed


In [14]:
def sigma1(x):
    """
    SHA-256 sigma1 (σ₁²⁵⁶) function: ROTR¹⁷(x) ^ ROTR¹⁹(x) ^ SHR¹⁰(x)
    
    This function performs two right rotations and one right shift on a 32-bit word and XORs them.
    Used in the message schedule of SHA-256 for extending the message block.
    
    ROTR^n(x) = circular right rotation of x by n positions (bits wrap around)
    SHR^n(x) = right shift of x by n positions (bits are lost, zeros fill in)
    
    Args:
        x: 32-bit unsigned integer
    
    Returns:
        32-bit unsigned integer result of ROTR¹⁷(x) ^ ROTR¹⁹(x) ^ SHR¹⁰(x)
    """
    # Convert to 32-bit unsigned integer
    x = np.uint32(x)
    
    # Right rotate by 17 bits: shift right 17, wrap left 15
    rotr17 = np.uint32((x >> 17) | (x << 15))  # ROTR¹⁷(x)
    
    # Right rotate by 19 bits: shift right 19, wrap left 13
    rotr19 = np.uint32((x >> 19) | (x << 13))  # ROTR¹⁹(x)
    
    # Right shift by 10 bits: shift right 10, NO wrap (fills with zeros)
    shr10 = np.uint32(x >> 10)                 # SHR¹⁰(x)
    
    # XOR two rotations and one shift: combines reversible and irreversible operations
    result = rotr17 ^ rotr19 ^ shr10
    
    # Return result as 32-bit unsigned integer
    return np.uint32(result)

In [15]:
def test_sigma1():
    """Test the sigma1 function with essential test cases."""
    
    # Test 1: All zeros - rotations and shifts of zero produce zero
    assert sigma1(0x00000000) == 0x00000000
    
    # Test 2: All ones - shift loses top 10 bits
    # ROTR¹⁷(all 1s) ^ ROTR¹⁹(all 1s) ^ SHR¹⁰(all 1s) = 0xFFFFFFFF ^ 0xFFFFFFFF ^ 0x003FFFFF
    assert sigma1(0xFFFFFFFF) == 0x003FFFFF
    
    # Test 3: Single bit - demonstrates rotation (wraps) vs shift (loses bits)
    # Bit 0: ROTR¹⁷→pos 15, ROTR¹⁹→pos 13, SHR¹⁰→lost
    x = 0x00000001
    expected = np.uint32((x >> 17) | (x << 15)) ^ \
               np.uint32((x >> 19) | (x << 13)) ^ \
               np.uint32(x >> 10)  # = 0x0000A000
    assert sigma1(x) == expected
    
    print("All sigma1 tests passed")

test_sigma1()

All sigma1 tests passed


## Problem 2: Fractional Parts of Cube Roots


### Problem Description

Use **numpy** to calculate the constants listed at the bottom of [page 11 of the Secure Hash Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf). These are the first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers, used as the **K constants** in the SHA-256 compression function.

### Requirements:

1. Write a function called `primes(n)` that generates the first n prime numbers
2. Use the function to calculate the cube root of the first 64 primes
3. For each cube root, extract the first thirty-two bits of the fractional part
4. Display the result in hexadecimal
5. Test the results against what is in the Secure Hash Standard

### Mathematical Process:

For each prime $p$, the K constant is calculated as:

$$K[i] = \text{floor}((\sqrt[3]{p} - \text{floor}(\sqrt[3]{p})) \times 2^{32})$$

Where:
- $\sqrt[3]{p}$ is the cube root of prime $p$
- The fractional part is obtained by subtracting the integer part
- Multiplying by $2^{32}$ extracts the first 32 bits
- The result is converted to a 32-bit unsigned integer

---

### My Understanding

For this problem, I need to generate the **64 K constants** that SHA-256 uses in its compression function. These aren't arbitrary numbers - they come from the fractional parts of cube roots of the first 64 prime numbers.

The way I thought about it is that **cryptographic algorithms need constants that appear random but are actually derived from well-known mathematical values**. This approach, called "nothing up my sleeve numbers," proves the constants weren't chosen to contain hidden weaknesses or backdoors. Anyone can verify these constants by computing the cube roots of primes themselves.

**Breaking it down:**

1. **Generate primes:** First, I need to find the first 64 prime numbers (2, 3, 5, 7, 11, 13, ..., 311)

2. **Calculate cube roots:** For each prime, compute its cube root. For example, $\sqrt[3]{2} \approx 1.259921...$

3. **Extract fractional part:** Take only the part after the decimal point. For $\sqrt[3]{2}$, that's $0.259921...$

4. **Get first 32 bits:** Multiply the fractional part by $2^{32}$ to shift it left 32 bits, then truncate to get an integer. This effectively extracts the first 32 binary digits of the fractional part.

5. **Convert to hex:** Display as hexadecimal for easy comparison with the standard.

The result should match exactly what's listed in **FIPS 180-4** on page 11, where all 64 constants are printed. These K constants are added to working variables during each of the 64 rounds of SHA-256's compression function, providing the "random-looking" mixing that makes the hash secure.

---

### Theory / Background

The SHA-256 K constants are defined in [Section 4.2.2 of FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf) (page 11). They represent an important design principle in modern cryptography: **verifiable randomness**.

#### Why Use Cube Roots of Primes?

Cryptographic algorithms need constants that appear random but must be **transparently generated** to prove they don't contain hidden weaknesses. Using mathematical constants like cube roots of primes provides:

1. **Nothing Up My Sleeve**: Anyone can independently verify these constants by computing cube roots themselves
2. **Unpredictability**: The fractional parts of cube roots produce pseudo-random bit patterns
3. **Mathematical Beauty**: Connects SHA-256 to fundamental mathematics (prime numbers)
4. **Historical Precedent**: Similar to how DES used the first 64 bits of $\sqrt{2}$

The [National Institute of Standards and Technology (NIST)](https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines) chose this approach when designing SHA-256 in the late 1990s to ensure transparency and build trust in the algorithm.

#### Prime Numbers and Cryptography

[Prime numbers](https://en.wikipedia.org/wiki/Prime_number) are fundamental building blocks in cryptography. While SHA-256 doesn't use primes for encryption (unlike RSA), using primes to generate constants connects the algorithm to well-understood number theory. The first 64 primes (2 through 311) provide enough distinct values for SHA-256's 64 rounds.

#### Fractional Parts and Binary Representation

The fractional part of a cube root represents the portion after the decimal point. When we multiply by $2^{32}$, we're essentially [shifting the binary representation](https://realpython.com/python-bitwise-operators/) left 32 positions. For example:

- $\sqrt[3]{2} = 1.25992104989...$
- Fractional part: $0.25992104989...$
- In binary (first few bits): $0.01000011010111...$
- Multiply by $2^{32}$: shifts left 32 bits
- Truncate: gives the first 32 bits as an integer

Using [NumPy's `cbrt` function](https://numpy.org/doc/stable/reference/generated/numpy.cbrt.html) provides the precision needed for this calculation, and [`np.uint32`](https://numpy.org/doc/stable/reference/arrays.scalars.html#numpy.uint32) ensures proper 32-bit wrapping.

#### Connection to H Constants

Similar to the K constants, SHA-256 also has **H constants** (the initial hash values) which come from the fractional parts of the **square roots** of the first 8 primes. This parallel construction reinforces the "nothing up my sleeve" design philosophy.

---

### Approach

My strategy for generating the K constants involves three main functions, each handling a specific part of the problem:

#### 1. Prime Generation: `primes(n)`

**Strategy:** Trial division with optimization
- Start with candidate = 2
- Check divisibility only against previously found primes
- Stop checking when prime² > candidate (optimization)
- Continue until we have n primes

**Why this approach:**
- Simple and readable for small n (64 is very manageable)
- More sophisticated algorithms (Sieve of Eratosthenes) would be overkill
- The [trial division method](https://en.wikipedia.org/wiki/Trial_division) is intuitive and easy to verify

**Implementation detail:** I use a list to accumulate primes and check each candidate against this growing list. For n=64, this runs instantly.

#### 2. Fractional Part Extraction: `fractional_part_cube_root(prime)`

**Strategy:** Direct mathematical calculation
1. Calculate cube root using [`np.cbrt()`](https://numpy.org/doc/stable/reference/generated/numpy.cbrt.html)
2. Extract fractional part: `cube_root - floor(cube_root)`
3. Scale by $2^{32}$ to get first 32 bits
4. Convert to `np.uint32`

**Key consideration:** Using `np.cbrt()` instead of `prime**(1/3)` provides better numerical precision for floating-point calculations. The difference matters for cryptographic constants where every bit must be exact.

**Why multiply by $2^{32}$:**
- The fractional part is between 0 and 1
- Multiplying by $2^{32}$ shifts it to the integer range [0, $2^{32}-1$]
- This extracts exactly 32 bits of the fractional part
- Converting to `np.uint32` truncates (doesn't round) to get the integer portion

#### 3. K Constant Generation: `generate_k_constants(n=64)`

**Strategy:** Compose the previous two functions
- Generate n primes using `primes(n)`
- For each prime, calculate its K constant using `fractional_part_cube_root()`
- Return both the K values and the primes (for verification)

**Return value choice:** Returning both K values and primes allows test functions to verify:
- Correct prime generation
- Correct K constant calculation
- Exact match with FIPS 180-4 specification

#### 4. Display Function: `display_hex_result()`

**Strategy:** Format for human readability
- Display 8 constants per line (matches FIPS 180-4 layout)
- Use hexadecimal format with leading zeros: `0x{k:08x}`
- Makes visual comparison with the standard trivial

**Testing Strategy:**
- Test `primes()` against known values
- Test `fractional_part_cube_root()` for correctness
- Test complete K constant array against FIPS 180-4
- All test functions use `assert` with descriptive error messages

This modular approach makes each function simple to understand, test, and verify independently.

---

### Discussion / Interpretation

#### Test Results

All test functions passed, confirming that the implementation correctly generates the SHA-256 K constants according to **FIPS 180-4**:

✓ **Prime generation verified**: The first 64 primes (2, 3, 5, ..., 311) are correctly generated  
✓ **Fractional part calculation verified**: Cube root fractional parts are extracted accurately  
✓ **K constants match standard**: All 64 constants exactly match those listed on page 11 of FIPS 180-4  

#### Key Insights

**1. Precision Matters**
Using `np.cbrt()` instead of `**(1/3)` provides the numerical precision needed for cryptographic constants. Even tiny floating-point errors would produce completely different K constants, breaking SHA-256 compatibility.

**2. Mathematical Elegance**
The K constants demonstrate how modern cryptography balances:
- **Security**: Constants must appear random to prevent attacks
- **Transparency**: Must be derivable from well-known mathematical values
- **Verifiability**: Anyone can independently compute and verify them

**3. "Nothing Up My Sleeve" Design**
By publishing exactly how constants are generated, NIST proved SHA-256 doesn't contain hidden backdoors. If the NSA had simply said "use these 64 random numbers," cryptographers would be suspicious. By saying "use the first 32 bits of the fractional parts of cube roots of the first 64 primes," the constants are:
- Provably derived from mathematics
- Independently verifiable by anyone
- Free from hidden structure or weaknesses

**4. Connection to Hash Security**
These K constants are critical to SHA-256's security:
- Added during each of 64 compression rounds
- Prevent symmetry in the hash computation
- Ensure each round produces different mixing patterns
- Work together with the Ch, Maj, Sigma, and sigma functions

**5. Historical Context**
The choice of cube roots (versus square roots or other powers) was deliberate:
- Square roots used for H constants (initial hash values)
- Cube roots used for K constants (round constants)
- Fourth roots used in SHA-512
- This variety prevents any single mathematical relationship between different constant sets

#### Verification

The final K constant array can be directly compared to **FIPS 180-4 page 11**. For example, the first 8 constants are:

0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5

These match the standard exactly, confirming the implementation is correct. This verification is crucial - even a single incorrect constant would cause SHA-256 to produce completely wrong hashes.

#### Practical Application

While we don't typically regenerate these constants (they're usually hardcoded in SHA-256 implementations), understanding their derivation:
- Demonstrates the transparency principle in cryptographic design
- Provides confidence in the algorithm's integrity
- Shows how mathematics grounds modern security
- Illustrates the importance of reproducible, verifiable constants

The ability to independently derive and verify these constants is fundamental to trusting SHA-256 for critical applications like digital signatures, blockchain, password storage, and data integrity verification.

---

In [16]:
import numpy as np

def primes(n):
    """Generate the first n prime numbers using trial division.
    
    Uses trial division (https://en.wikipedia.org/wiki/Trial_division) to find primes.
    For each candidate number, checks divisibility only against previously found primes,
    stopping early when prime² > candidate for efficiency.
    
    Args:
        n: Number of primes to generate (must be > 0)
    
    Returns:
        List of the first n prime numbers
        
    Example:
        >>> primes(5)
        [2, 3, 5, 7, 11]
    """
    # Handle edge case: if n is 0 or negative, return empty list
    if n <= 0:
        return []
    
    # Start with an empty list to accumulate primes
    primes_list = []
    
    # Start checking from 2 (the first prime number)
    candidate = 2
    
    # Continue until we have found n primes
    while len(primes_list) < n:
        # Assume the candidate is prime until proven otherwise
        is_prime = True
        
        # Check if candidate is divisible by any previously found prime
        for prime in primes_list:
            # Optimization: if prime² > candidate, no need to check further
            # (if candidate has a factor > √candidate, it must also have one < √candidate)
            if prime * prime > candidate:
                break
            
            # If candidate is divisible by this prime, it's not prime
            if candidate % prime == 0:
                is_prime = False
                break
        
        # If we didn't find any divisors, candidate is prime
        if is_prime:
            primes_list.append(candidate)
        
        # Move to the next candidate
        candidate += 1
    
    # Return the list of n primes
    return primes_list

In [17]:
def fractional_part_cube_root(prime):
    """Calculate the first 32 bits of the fractional part of a cube root.
    
    For a given prime p, computes floor((∛p - floor(∛p)) × 2³²).
    This extracts the first 32 binary digits after the decimal point of the cube root.
    
    Reference: FIPS 180-4, Section 4.2.2, Page 11
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    
    The process:
    1. Compute the cube root using NumPy's cbrt (more precise than **(1/3))
    2. Extract the fractional part (portion after the decimal point)
    3. Multiply by 2³² to shift the fractional bits into integer range
    4. Truncate to get a 32-bit unsigned integer
    
    Args:
        prime: A prime number (typically from the first 64 primes)
    
    Returns:
        32-bit unsigned integer representing the first 32 bits of the fractional part
        
    Example:
        >>> fractional_part_cube_root(2)
        np.uint32(1109868851)  # 0x428a2f98 in hex
    """
    # Calculate the cube root using NumPy's cbrt for precision
    # More accurate than prime**(1/3) for cryptographic constants
    cube_root = np.cbrt(prime)
    
    # Extract the fractional part by subtracting the integer part
    # np.floor() removes everything after the decimal point
    # Example: 1.2599 - 1 = 0.2599
    fractional = cube_root - np.floor(cube_root)
    
    # Scale the fractional part by 2³² to get the first 32 bits
    # This shifts the binary representation left by 32 positions
    # Example: 0.2599... × 4294967296 = 1115684011.95...
    scaled = fractional * (2**32)
    
    # Convert to 32-bit unsigned integer (truncates, doesn't round)
    # np.uint32 ensures proper 32-bit wrapping behavior
    result = np.uint32(scaled)
    
    # Return the final 32-bit constant
    return result

In [18]:
def generate_k_constants(n=64):
    """Generate SHA-256 K constants from cube roots of the first n primes.
    
    Creates the 64 round constants used in SHA-256's compression function by:
    1. Finding the first n prime numbers
    2. For each prime, calculating the first 32 bits of its cube root's fractional part
    
    These constants provide the "nothing up my sleeve" randomness that prevents
    structural weaknesses in the hash function.
    
    Reference: FIPS 180-4, Section 4.2.2, Page 11
    https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
    
    Args:
        n: Number of constants to generate (default: 64 for SHA-256)
    
    Returns:
        tuple: (k_values, prime_list) where:
            - k_values: List of n 32-bit unsigned integers (the K constants)
            - prime_list: List of n primes used to generate the constants
            
    Example:
        >>> k_vals, primes_used = generate_k_constants(8)
        >>> len(k_vals)
        8
        >>> hex(k_vals[0])
        '0x428a2f98'
    """
    # Step 1: Generate the first n prime numbers
    # Uses the primes() function defined earlier
    prime_list = primes(n)
    
    # Step 2: Calculate the K constant for each prime
    # Start with an empty list to accumulate K values
    k_values = []
    
    # For each prime, extract the fractional part of its cube root
    for p in prime_list:
        # Use our fractional_part_cube_root function
        k = fractional_part_cube_root(p)
        
        # Add this constant to our list
        k_values.append(k)
    
    # Return both the K constants and the primes (useful for verification)
    return k_values, prime_list

In [19]:
def display_hex_result():
    """Display all 64 SHA-256 K constants in hexadecimal format.
    
    Prints the constants in groups of 8 per line, matching the layout in
    FIPS 180-4 page 11 for easy visual comparison.
    
    Each constant is displayed as an 8-digit hexadecimal number with 0x prefix,
    formatted for readability and verification against the official standard.
    
    Returns:
        None (prints to stdout)
        
    Example output:
        ['0x428a2f98', '0x71374491', '0xb5c0fbcf', '0xe9b5dba5', ...]
    """
    # Generate all 64 K constants
    k_vals, _ = generate_k_constants(64)
    
    # Print header
    print("SHA-256 K Constants (64 total):\n")
    
    # Display 8 constants per line for readability
    # This matches the format in FIPS 180-4 page 11
    for i in range(0, 64, 8):
        # Extract the next 8 constants
        eight_constants = k_vals[i:i+8]
        
        # Format each as 8-digit hex with 0x prefix
        hex_values = [f"0x{k:08x}" for k in eight_constants]
        
        # Print the line
        print(hex_values)

# Execute the function to display results
display_hex_result()

SHA-256 K Constants (64 total):

['0x428a2f98', '0x71374491', '0xb5c0fbcf', '0xe9b5dba5', '0x3956c25b', '0x59f111f1', '0x923f82a4', '0xab1c5ed5']
['0xd807aa98', '0x12835b01', '0x243185be', '0x550c7dc3', '0x72be5d74', '0x80deb1fe', '0x9bdc06a7', '0xc19bf174']
['0xe49b69c1', '0xefbe4786', '0x0fc19dc6', '0x240ca1cc', '0x2de92c6f', '0x4a7484aa', '0x5cb0a9dc', '0x76f988da']
['0x983e5152', '0xa831c66d', '0xb00327c8', '0xbf597fc7', '0xc6e00bf3', '0xd5a79147', '0x06ca6351', '0x14292967']
['0x27b70a85', '0x2e1b2138', '0x4d2c6dfc', '0x53380d13', '0x650a7354', '0x766a0abb', '0x81c2c92e', '0x92722c85']
['0xa2bfe8a1', '0xa81a664b', '0xc24b8b70', '0xc76c51a3', '0xd192e819', '0xd6990624', '0xf40e3585', '0x106aa070']
['0x19a4c116', '0x1e376c08', '0x2748774c', '0x34b0bcb5', '0x391c0cb3', '0x4ed8aa4a', '0x5b9cca4f', '0x682e6ff3']
['0x748f82ee', '0x78a5636f', '0x84c87814', '0x8cc70208', '0x90befffa', '0xa4506ceb', '0xbef9a3f7', '0xc67178f2']


In [20]:
def test_primes():
    """Test the primes function with various inputs."""
    
    # Test 1: First 10 primes
    assert primes(10) == [2, 3, 5, 7, 11, 13, 17, 19, 23, 29], \
        "First 10 primes incorrect"
    
    # Test 2: First 5 primes
    assert primes(5) == [2, 3, 5, 7, 11], \
        "First 5 primes incorrect"
    
    # Test 3: Edge case - first prime only
    assert primes(1) == [2], \
        "First prime should be 2"
    
    # Test 4: Zero primes (edge case)
    assert primes(0) == [], \
        "Zero primes should return empty list"
    
    print("All primes tests passed")

# Run the tests
test_primes()

All primes tests passed


In [21]:
def test_fractional_part():
    """Test the fractional_part_cube_root function properties."""
    
    # Test 1: Result is numpy uint32 type
    result = fractional_part_cube_root(2)
    assert isinstance(result, np.uint32), \
        "Result should be numpy uint32 type"
    
    # Test 2: First prime (2) produces correct value
    assert fractional_part_cube_root(2) == 0x428a2f98, \
        "Cube root fractional part of 2 incorrect"
    
    # Test 3: Prime 311 (last in SHA-256) produces correct value
    assert fractional_part_cube_root(311) == 0xc67178f2, \
        "Cube root fractional part of 311 incorrect"
    
    # Test 4: Deterministic - same input gives same output
    assert fractional_part_cube_root(127) == fractional_part_cube_root(127), \
        "Function should be deterministic"
    
    # Test 5: Result fits in 32 bits
    result = fractional_part_cube_root(311)
    assert result <= 0xFFFFFFFF, \
        "Result should fit in 32 bits"
    
    print("All fractional_part_cube_root tests passed")

# Run the tests
test_fractional_part()

All fractional_part_cube_root tests passed


In [22]:
def test_k_constants():
    """Test all 64 K constants against SHA-256 standard."""
    
    # Official SHA-256 K constants from FIPS 180-4, Section 4.2.2
    OFFICIAL_K = [
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
    ]
    
    # Generate K constants
    k_vals, _ = generate_k_constants(64)
    
    # Test 1: Correct number of constants generated
    assert len(k_vals) == 64, \
        "Should generate exactly 64 constants"
    
    # Test 2: First constant matches
    assert k_vals[0] == OFFICIAL_K[0], \
        f"First constant should be 0x{OFFICIAL_K[0]:08x}"
    
    # Test 3: Last constant matches
    assert k_vals[63] == OFFICIAL_K[63], \
        f"Last constant should be 0x{OFFICIAL_K[63]:08x}"
    
    # Test 4: Middle constant matches
    assert k_vals[32] == OFFICIAL_K[32], \
        f"Middle constant (index 32) should be 0x{OFFICIAL_K[32]:08x}"
    
    # Test 5: All constants match
    for i, (gen, off) in enumerate(zip(k_vals, OFFICIAL_K)):
        assert gen == off, \
            f"Constant {i} mismatch: generated 0x{gen:08x}, expected 0x{off:08x}"
    
    print("All K constants tests passed")

# Run the tests
test_k_constants()

All K constants tests passed


## Problem 3: Padding

### SHA-256 Message Preprocessing: Padding and Block Parsing

The `block_parse(msg)` generator function implements the message preprocessing steps required by SHA-256, as specified in **Sections 5.1.1 and 5.2.1** of the Secure Hash Standard ([FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)). Message preprocessing is the first stage of the hashing process, transforming variable-length input messages into standardized 512-bit blocks that the hash computation can process.

**Why Preprocessing Matters:**

SHA-256's compression function operates on fixed-size 512-bit blocks. Since real-world messages rarely align perfectly with this block size, preprocessing ensures every message can be processed uniformly. The padding scheme also serves a security purpose: it prevents collision attacks where an attacker might craft different messages that produce identical padded outputs.

**Mathematical Foundation:**

The padding equation *ℓ* + 1 + *k* + 64 ≡ 0 (mod 512) can be rearranged to *ℓ* + 1 + *k* ≡ 448 (mod 512). This guarantees that regardless of the original message length, after adding the '1' bit and appropriate zeros, exactly 64 bits remain in the final 512-bit block for the length field. The modular arithmetic ensures this works for messages requiring one padding block or spanning multiple blocks.

In [23]:
def block_parse(msg):
    """
    Generator that yields 512-bit blocks from a message with proper SHA-256 padding.
    
    Takes a message in bytes and yields it in 64-byte chunks. The last chunk
    (or two chunks) will have padding added according to the SHA-256 spec.
    
    Args:
        msg (bytes): The message to process
        
    Yields:
        bytes: 64-byte blocks, with padding on the final block(s)
    """
    # First, figure out how long the message is
    original_length_bits = len(msg) * 8
    
    # Yield any complete 64-byte blocks we have
    i = 0
    while i + 64 <= len(msg):
        yield msg[i:i + 64]
        i += 64
    
    # Now handle whatever's left over (less than 64 bytes)
    leftover = msg[i:]
    
    # Start padding: add our message, then the required 0x80 byte
    current = leftover + b'\x80'
    
    # Check if we can fit the length field (8 bytes) in this block
    # We need the total to be 64 bytes, with 8 reserved for length
    # So if current <= 56 bytes, we're good for one block
    if len(current) <= 56:
        # Pad with zeros up to byte 56
        current = current + b'\x00' * (56 - len(current))
        # Add the length in the last 8 bytes
        current = current + original_length_bits.to_bytes(8, 'big')
        yield current
    else:
        # Won't fit! Need two blocks
        # First block: fill the rest with zeros
        current = current + b'\x00' * (64 - len(current))
        yield current
        
        # Second block: 56 zero bytes, then the length
        second_block = b'\x00' * 56 + original_length_bits.to_bytes(8, 'big')
        yield second_block

In [24]:
def test_block_parse():
    """Test block_parse with different message sizes."""
    
    # Test 1: Empty message
    blocks = list(block_parse(b''))
    assert len(blocks) == 1, "Empty message should give 1 block"
    assert len(blocks[0]) == 64, "Block should be 64 bytes"
    assert blocks[0][0] == 0x80, "Should start with 0x80"
    assert int.from_bytes(blocks[0][-8:], 'big') == 0, "Length should be 0"
    
    # Test 2: "abc" - the standard example
    blocks = list(block_parse(b'abc'))
    assert len(blocks) == 1, "'abc' should give 1 block"
    assert blocks[0][:3] == b'abc', "Should start with 'abc'"
    assert blocks[0][3] == 0x80, "Padding at byte 3"
    assert int.from_bytes(blocks[0][-8:], 'big') == 24, "Length should be 24 bits"
    
    # Test 3: 55 bytes - max for one block
    msg = b'A' * 55
    blocks = list(block_parse(msg))
    assert len(blocks) == 1, "55 bytes should fit in 1 block"
    assert blocks[0][:55] == msg, "Should contain full message"
    assert int.from_bytes(blocks[0][-8:], 'big') == 440, "Length should be 440 bits"
    
    # Test 4: 56 bytes - needs 2 blocks
    msg = b'B' * 56
    blocks = list(block_parse(msg))
    assert len(blocks) == 2, "56 bytes needs 2 blocks"
    assert blocks[0][:56] == msg, "First block has message"
    assert int.from_bytes(blocks[1][-8:], 'big') == 448, "Length in second block"
    
    # Test 5: 64 bytes - full block
    msg = b'C' * 64
    blocks = list(block_parse(msg))
    assert len(blocks) == 2, "64 bytes needs 2 blocks"
    assert blocks[0] == msg, "First block is just the message"
    assert blocks[1][0] == 0x80, "Second block starts with padding"
    
    print("All block_parse tests passed")

test_block_parse()

All block_parse tests passed


## Problem 4: Hashes

In [25]:
def hash(current, block):
    """
    Process one 512-bit block and return updated hash state.
    
    Implements SHA-256 hash computation from FIPS 180-4 Section 6.2.2.
    
    Args:
        current: List of 8 integers (current hash state H^(i-1))
        block: 64 bytes (512 bits) representing message block M^(i)
        
    Returns:
        List of 8 integers (new hash state H^(i))
    """
    # K constants from Problem 2
    K = [
        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
        0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
        0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
        0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
        0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
        0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
        0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
        0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
        0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
    ]
    
    # Step 1: Prepare message schedule (64 words)
    W = []
    
    # First 16 words from the block (big-endian)
    for i in range(16):
        word = int.from_bytes(block[i*4:(i+1)*4], 'big')
        W.append(word)
    
    # Extend to 64 words
    for t in range(16, 64):
        s0 = sigma0(W[t-15])
        s1 = sigma1(W[t-2])
        # Addition mod 2^32 (using bitwise AND with 0xFFFFFFFF)
        new_word = (W[t-16] + s0 + W[t-7] + s1) & 0xFFFFFFFF
        W.append(new_word)
    
    # Step 2: Initialize working variables
    a, b, c, d, e, f, g, h = current
    
    # Step 3: Main compression loop (64 rounds)
    for t in range(64):
        T1 = (h + Sigma1(e) + Ch(e, f, g) + K[t] + W[t]) & 0xFFFFFFFF
        T2 = (Sigma0(a) + Maj(a, b, c)) & 0xFFFFFFFF
        
        h = g
        g = f
        f = e
        e = (d + T1) & 0xFFFFFFFF
        d = c
        c = b
        b = a
        a = (T1 + T2) & 0xFFFFFFFF
    
    # Step 4: Update hash value (add working vars to current)
    new_hash = [
        (current[0] + a) & 0xFFFFFFFF,
        (current[1] + b) & 0xFFFFFFFF,
        (current[2] + c) & 0xFFFFFFFF,
        (current[3] + d) & 0xFFFFFFFF,
        (current[4] + e) & 0xFFFFFFFF,
        (current[5] + f) & 0xFFFFFFFF,
        (current[6] + g) & 0xFFFFFFFF,
        (current[7] + h) & 0xFFFFFFFF
    ]
    
    return new_hash

In [26]:
def sha256(message):
    """
    Complete SHA-256 hash using the hash() function.
    
    Demonstrates how hash() is used to process a full message.
    
    Args:
        message (bytes): Message to hash
        
    Returns:
        str: 64-character hex digest
    """
    # Initial hash value H^(0) from FIPS 180-4 Section 5.3.3
    current = [
        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
    ]
    
    # Process each block with hash()
    for block in block_parse(message):
        current = hash(current, block)
    
    # Convert to hex string
    return ''.join(f'{h:08x}' for h in current)

In [27]:
def test_hash():
    """Test the hash function with known values."""
    
    # Initial hash value
    H0 = [
        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
    ]
    
    # Test 1: Process "abc" block
    abc_block = list(block_parse(b'abc'))[0]
    result = hash(H0, abc_block)
    assert len(result) == 8, "Result should have 8 words"
    final = ''.join(f'{h:08x}' for h in result)
    expected = 'ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad'
    assert final == expected, "Hash of 'abc' incorrect"
    
    # Test 2: Empty message
    empty_block = list(block_parse(b''))[0]
    result = hash(H0, empty_block)
    final = ''.join(f'{h:08x}' for h in result)
    expected = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
    assert final == expected, "Empty message hash incorrect"
    
    # Test 3: Multi-block message
    msg = b'abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq'
    current = H0
    for block in block_parse(msg):
        current = hash(current, block)
    final = ''.join(f'{h:08x}' for h in current)
    expected = '248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1'
    assert final == expected, "Multi-block hash incorrect"
    
    # Test 4: Single character 'a'
    result = sha256(b'a')
    expected = 'ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb'
    assert result == expected, "Hash of 'a' incorrect"
    
    # Test 5: Numbers
    result = sha256(b'123')
    expected = 'a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3'
    assert result == expected, "Hash of '123' incorrect"
    
    print("All hash tests passed")

test_hash()

All hash tests passed


  new_word = (W[t-16] + s0 + W[t-7] + s1) & 0xFFFFFFFF
  T1 = (h + Sigma1(e) + Ch(e, f, g) + K[t] + W[t]) & 0xFFFFFFFF
  T2 = (Sigma0(a) + Maj(a, b, c)) & 0xFFFFFFFF
  e = (d + T1) & 0xFFFFFFFF
  a = (T1 + T2) & 0xFFFFFFFF
  (current[1] + b) & 0xFFFFFFFF,
  (current[3] + d) & 0xFFFFFFFF,
  (current[5] + f) & 0xFFFFFFFF,
  (current[4] + e) & 0xFFFFFFFF,
  (current[2] + c) & 0xFFFFFFFF,
  (current[0] + a) & 0xFFFFFFFF,
  (current[7] + h) & 0xFFFFFFFF


## Problem 5: Passwords

In [28]:
def sha256_utf8(text):
    return hashlib.sha256(text.encode("utf-8")).hexdigest()

# Expanded list of common passwords
# Based on NordPass top 200 list and common password patterns
common_passwords = np.array([
    # Top numeric passwords
    "123456",
    "12345678",
    "123456789",
    "1234",
    "12345",
    "1234567890",
    "1234567",
    "123321",
    "123123",
    "000000",
    
    # Common words
    "password",
    "Password",
    "password1",
    "admin",
    "welcome",
    "qwerty",
    "iloveyou",
    "monkey",
    "dragon",
    
    # Special character variations (leetspeak)
    "P@ssw0rd",
    "P@ssword",
    "Pa$$w0rd",
    "Aa123456",
    
    # Food and everyday objects
    "cheese",
    "chocolate",
    "coffee",
    "cookie",
    "orange",
    "pepper",
    "banana",
    
    # Colors and nature
    "purple",
    "silver",
    "sunshine",
    "flower",
    "summer",
    
    # Common names and titles
    "michael",
    "jordan",
    "ashley",
    "nicole",
    
    # Other common patterns
    "letmein",
    "trustno1",
    "baseball",
    "football",
    "master",
    "shadow",
    "superman",
    "batman"
])

# Hashes to crack
target_hashes = {
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8": None,
    "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34": None,
    "b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342": None
}

# Crack the hashes using dictionary attack
for pwd in common_passwords:
    hashed = sha256_utf8(pwd)
    if hashed in target_hashes:
        target_hashes[hashed] = pwd

# Print results
print("Dictionary Attack Results:")
print("=" * 70)
for h, found_pwd in target_hashes.items():
    if found_pwd:
        print(f"Found: {found_pwd:15} -> {h}")
    else:
        print(f"Not found:          -> {h}")

# Summary
cracked_count = sum(1 for pwd in target_hashes.values() if pwd is not None)
print("=" * 70)
print(f"Successfully cracked {cracked_count} out of 3 passwords")

Dictionary Attack Results:
Found: password        -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Found: cheese          -> 873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34
Found: P@ssw0rd        -> b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342
Successfully cracked 3 out of 3 passwords


In [29]:
# Test Case 1: Verify the first password hash (password)
assert sha256_utf8("password") == \
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", \
    "Test 1 Failed: 'password' hash doesn't match"

# Test Case 2: Verify the second password hash (cheese)
assert sha256_utf8("cheese") == \
    "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34", \
    "Test 2 Failed: 'cheese' hash doesn't match"

# Test Case 3: Verify the third password hash (P@ssw0rd)
assert sha256_utf8("P@ssw0rd") == \
    "b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342", \
    "Test 3 Failed: 'P@ssw0rd' hash doesn't match"

# Test Case 4: Verify empty string produces correct SHA-256 hash
assert sha256_utf8("") == \
    "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", \
    "Test 4 Failed: Empty string hash doesn't match"

# Test Case 5: Verify case sensitivity in hashing
assert sha256_utf8("Password") != sha256_utf8("password"), \
    "Test 5 Failed: Hashes should differ based on case"

# Test Case 6: Verify deterministic behaviour (same input = same hash)
hash1 = sha256_utf8("test123")
hash2 = sha256_utf8("test123")
assert hash1 == hash2, \
    "Test 6 Failed: Same input should always produce same hash"

# Test Case 7: Verify that different inputs produce different hashes
assert sha256_utf8("abc") != sha256_utf8("abcd"), \
    "Test 7 Failed: Different inputs should produce different hashes"

# Test Case 8: Verify UTF-8 encoding with special characters
test_hash = sha256_utf8("P@ssw0rd")
assert len(test_hash) == 64, \
    "Test 8 Failed: SHA-256 hash should always be 64 characters"

print("All tests passed successfully!")

All tests passed successfully!


# End