# Computational Theory Problems

**Author:** Louise Deeth

**Course:** Computational Theory

This notebook implements the SHA-1 and SHA-256 cryptographic hash algorithms components as specified in the [FIPS 180-4 Secure Hash Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)


In [54]:
# import necessary libraries
import numpy as np
from typing import List

## Problem 1: Binary Words and Operations

Implement the following functions in Python. Use numpy to ensure that all variables and values are treated as 32-bit integers. These functions are defined in the Secure Hash Standard.

1. Parity(x, y, z)
2. Ch(x, y, z) - Choose function
3. Maj(x, y, z) - Majority function  
4. Sigma0(x) - Σ₀²⁵⁶(x)
5. Sigma1(x) - Σ₁²⁵⁶(x)
6. sigma0(x) - σ₀²⁵⁶(x)
7. sigma1(x) - σ₁²⁵⁶(x)

These functions operate on 32-bit unsigned integers and use bitwise operations including AND, OR, XOR, NOT, rotation, and shifting.

### Function 1: Parity(x, y, z)

The Parity() function implements the bitwise XOR of three 32-bit unsigned integers.

This operation outputs a 1 for each bit position where an odd number of bits is 1.

It is used in the SHA-1 hashing algorithm to combine three message words into a new value.

Formula: 
- Secure Hash Standard: $Parity(x, y, z) = x \oplus y \oplus z$
- Python: `Parity(x, y, z) = x ^ y ^ z`

In [55]:
def Parity(x, y, z):
    """
    Parity(x, y, z) 
        
    Performs bitwise XOR operation on three 32-bit unsigned integers. 
    Bitwise XOR is a way to compare 2 numbers bit by bit: if the bits 
    are the same, the output is 0; if they are different, the output is 1.    
    This function is used in the SHA-1 hash algorithm. 

    Parameters
    x, y, z : int
        Three 32-bit unsigned integers.

    Returns
    np.uint32
        The bitwise XOR of x, y and z (Three 32-bit unsigned integers).
    """

    # Convert all inputs to 32-bit unsigned integers.
    # This is important for correct bitwise operations and 
    # ensures that all operations behave like they would in hardware
    x = np.uint32(x)
    y = np.uint32(y)
    z = np.uint32(z)

    # The symbol ^ means bitwise XOR (exclusive OR) in python.
    # np.uint32 ensures the result is a 32-bit unsigned integer 
    # because python handles integers as unlimited size by default.
    # Without np.uint32, the result could be a larger integer than intended.
    # SHA-1 algorithm requires 32-bit unsigned integers for its operations.
    
    # Return the result of the bitwise XOR operation.
    return np.uint32(x ^ y ^ z)

**Example tests:** 
Takes each hex number and converts them to binary and XORs them to give a new 32-bit result hex number which is then converted to decimal.

In [56]:
print("Parity(0x12345678, 0x9abcdef0, 0x0fedcba9) = Hex:", 
      hex(Parity(0x12345678, 0x9abcdef0, 0x0fedcba9)), 
      "or Decimal:", Parity(0x12345678, 0x9abcdef0, 0x0fedcba9))

print(
    "Parity(0xffffffff, 0x00000000, 0x12345678) = "
    f"Hex: {hex(Parity(0xffffffff, 0x00000000, 0x12345678))} "
    f"or Decimal: {Parity(0xffffffff, 0x00000000, 0x12345678)}")

print("Parity(0x0, 0x0, 0x0) = Hex:", 
      hex(Parity(0x0, 0x0, 0x0)), 
      "or Decimal:", Parity(0x0, 0x0, 0x0))

Parity(0x12345678, 0x9abcdef0, 0x0fedcba9) = Hex: 0x87654321 or Decimal: 2271560481
Parity(0xffffffff, 0x00000000, 0x12345678) = Hex: 0xedcba987 or Decimal: 3989547399
Parity(0x0, 0x0, 0x0) = Hex: 0x0 or Decimal: 0


### Function 2: Ch(x, y, z)

The Choose function selects bits from y or z depending on x.

It acts like a bitwise if-else:
- If the bit in x is 1, use the bit from y
- If the bit in x is 0, use the bit from z

This operation is part of the SHA family of cryptographic hash functions and helps mix message bits in a non-linear way.

Formula: 
- Secure Hash Standard: $Ch(x, y, z) = (x \land y) \oplus (\neg x \land z)$
- Python: `Ch(x, y, z) = (x & y) ^ (~x & z)`

In [57]:
def Ch(x, y, z):
    """
    Ch(x, y, z)
    
    The Choose function from the Secure Hash Standard.

    For each bit position:    
        - If the bit in x is 1, use the bit from y
        - If the bit in x is 0, use the bit from z

    Parameters
    x, y, z : int
        Three 32-bit unsigned integers.     

    Returns
    np.uint32
        The result of the Choose function as a 32-bit unsigned integer. 
    """

    # Convert all inputs to 32-bit unsigned integers.
    # This is important for correct bitwise operations and 
    # ensures that all operations behave like they would in hardware
    x = np.uint32(x)
    y = np.uint32(y)
    z = np.uint32(z)

    # Symbols:
    # &  bitwise AND 
    # ~ means bitwise NOT 
    # ^ means bitwise XOR (exclusive OR) 

    # np.uint32 ensures the result is a 32-bit unsigned integer 
    # because python handles integers as unlimited size by default.
    # Without np.uint32, the result could be a larger integer than intended.
    # SHA-256 algorithm requires 32-bit unsigned integers for its operations.
    
    # Return the result of the Choose function operation.
    return np.uint32((x & y) ^ (~x & z))

**Example tests:** Looks at x 

- if the bit in x is 1, the result bit is copied from the corresponding bit in y 
    
- if the bit in x is 0, the result bit is copied from the corresponding bit in z

In [58]:
print("Ch(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0) = Hex:",
      hex(Ch(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0)),
      "or Decimal:", Ch(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0))

print("Ch(0x00000000, 0x12345678, 0x9ABCDEF0) = Hex:",
      hex(Ch(0x00000000, 0x12345678, 0x9ABCDEF0)),
      "or Decimal:", Ch(0x00000000, 0x12345678, 0x9ABCDEF0))

print("Ch(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555) = Hex:",
      hex(Ch(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555)),
      "or Decimal:", Ch(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555))

Ch(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0) = Hex: 0x12345678 or Decimal: 305419896
Ch(0x00000000, 0x12345678, 0x9ABCDEF0) = Hex: 0x9abcdef0 or Decimal: 2596069104
Ch(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555) = Hex: 0xa5a5a5a5 or Decimal: 2779096485


### Function 3: Maj(x, y, z)

The Majority function returns the majority bit among x, y and z for each bit position.

It acts like a bitwise voting system:
- If at least two of the bits are 1, the result bit is 1.
- Otherwise, the result bit is 0.

This operation is part of the SHA family of cryptographic hash functions and helps ensure diffusion by combining bits from multiple variables.

Formula: 
- Secure Hash Standard: $Maj(x, y, z) = (x \land y) \oplus (x \land z) \oplus (y \land z)$
- Python: `Maj(x, y, z) = (x & y) ^ (x & z) ^ (y & z)`

In [59]:
def Maj(x, y, z):
    """
    Maj(x, y, z)
    
    The Majority function from the Secure Hash Standard.

    For each bit position:    
        - If the majority of the bits in x, y, and z are 1, the result is 1
        - If the majority of the bits in x, y, and z are 0, the result is 0     
        
    Parameters
    x, y, z : int

        Three 32-bit unsigned integers.
    Returns
    np.uint32
        The result of the Majority function as a 32-bit unsigned integer.
    """

    # Convert all inputs to 32-bit unsigned integers.
    # This is important for correct bitwise operations and ensures that 
    # all operations behave like they would in hardware
    x = np.uint32(x)
    y = np.uint32(y)
    z = np.uint32(z)

    # The symbol & means bitwise AND in python.
    # The symbol ^ means bitwise XOR in python.
    # np.uint32 ensures the result is a 32-bit unsigned integer because 
    # python handles integers as unlimited size by default.
    # Without np.uint32, the result could be a larger integer than intended.
    # SHA-256 algorithm requires 32-bit unsigned integers for its operations.
    # Return the result of the Majority function operation.
    return np.uint32((x & y) ^ (x & z) ^ (y & z))

**Example tests:**  Looks at x,y and z together for each bit position.

- If at least two bits among x,y and z are 1 -> the result bit is 1
- If fewer than two bits are 1 -> the result bit is 0

This means the function returns the majority bit at each position. 

In [60]:
print("Maj(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0) = Hex:",
      hex(Maj(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0)),
      "or Decimal:", Maj(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0))

print("Maj(0x00000000, 0x12345678, 0x9ABCDEF0) = Hex:",
      hex(Maj(0x00000000, 0x12345678, 0x9ABCDEF0)),
      "or Decimal:", Maj(0x00000000, 0x12345678, 0x9ABCDEF0))

print("Maj(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555) = Hex:",
      hex(Maj(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555)),
      "or Decimal:", Maj(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555))

Maj(0xFFFFFFFF, 0x12345678, 0x9ABCDEF0) = Hex: 0x9abcdef8 or Decimal: 2596069112
Maj(0x00000000, 0x12345678, 0x9ABCDEF0) = Hex: 0x12345670 or Decimal: 305419888
Maj(0xF0F0F0F0, 0xAAAAAAAA, 0x55555555) = Hex: 0xf0f0f0f0 or Decimal: 4042322160


### Helper Function: ROTR(x, n)

The ROTR (Rotate Right) function is a helper function used by the Sigma and sigma functions below.

It performs a circular right shift on a 32-bit unsigned integer, where bits that are shifted off the right end, wrap around to the left end.

This is an operation in SHA-256 that differs from a regular right shift (>>), which fills with zeros.

Formula:
- Secure Hash Standard: $ROTR^n(x) = (x >> n) | (x << (32 - n))$
- Python: ROTR(x, n) = (x >> n) | (x << (32 - n))

In [61]:
def ROTR(x, n):
    """
    ROTR(x, n)
    
    Performs a right rotation (circular right shift) on a 32-bit unsigned integer x by n bits.
    In a right rotation, the bits that are shifted out on the right are reintroduced on the left.

    Parameters
    x : int
        A 32-bit unsigned integer to be rotated.
    n : int
        The number of bits to rotate x to the right.

    Returns
    np.uint32
        The result of the right rotation as a 32-bit unsigned integer.
    """

    # Convert input x to a 32-bit unsigned integer.
    # This ensures correct behavior since Python integers are unlimited size by default
    # Without np.uint32, the result could be a larger integer than intended.
    # SHA-256 algorithm requires 32-bit unsigned integers for its operations.
    x = np.uint32(x)

    # Ensure n is within the range of 0-31
    n = n % 32  

    # Perform the right rotation using bitwise operations.
    # The expression (x >> n) shifts x to the right by n bits.
    # The expression (x << (32 - n)) shifts x to the left by (32 - n) bits.
    # The bitwise OR combines these two results.
    return np.uint32((x >> n) | (x << (32 - n)))

### Function 4: Sigma0(x) 

The Sigma0 function performs three bitwise right rotations on the input x by 2, 13 and 22 bits, and combines them using XOR.

This helps mix the bits of x to increase diffusion in the SHA-256 hash algorithm. This means that a small change in the input produces a large, widespread change in the output. 

Formula: 
- Secure Hash Standard: **$\Sigma_0(x) = ROTR^2(x) \oplus ROTR^{13}(x) \oplus ROTR^{22}(x)$** 
- Python: `Sigma0(x) = ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)`

In [62]:
def Sigma0(x):
    """
    Sigma0(x)
    
    The Sigma0 function from the Secure Hash Standard.

    Performs a series of bitwise rotations and XOR operations on a 
    32-bit unsigned integer.

    Parameters
    x : int
        A 32-bit unsigned integer.

    Returns
    np.uint32
        The result of the Sigma0 function as a 32-bit unsigned integer.
    """
    
    # Perform the bitwise rotations and XOR operations.
    return np.uint32(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))

**Example Tests:**  Looks at x
- The bits of x are rotated by 2, 13 and 22 positions.
- Each rotated version is combined with XOR.
- The result is a scrambled 32-bit number that spreads the bit information from the original x.

In [63]:
print("Sigma0(0x12345678) = Hex:", 
      hex(Sigma0(0x12345678)), 
      "or Decimal:", Sigma0(0x12345678))    

print("Sigma0(0xFFFFFFFF) = Hex:", 
      hex(Sigma0(0xFFFFFFFF)), 
      "or Decimal:", Sigma0(0xFFFFFFFF))    

print("Sigma0(0x00000000) = Hex:", 
      hex(Sigma0(0x00000000)), 
      "or Decimal:", Sigma0(0x00000000))    

Sigma0(0x12345678) = Hex: 0x66146474 or Decimal: 1712612468
Sigma0(0xFFFFFFFF) = Hex: 0xffffffff or Decimal: 4294967295
Sigma0(0x00000000) = Hex: 0x0 or Decimal: 0


### Function 5: Sigma1(x)

The Sigma1 function performs three bitwise right rotations on the input x by 6, 11 and 25 bits, and combines them using XOR.

This helps further mix the bits of x to increase diffusion in the SHA-256 hash algorithm and ensuring that small input changes cause large changes in the hash output. 

Formula: 
- Secure Hash Standard: $\Sigma_1(x) = ROTR^6(x) \oplus ROTR^{11}(x) \oplus ROTR^{25}(x)$
- Python: `Sigma1(x) = ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)`

In [64]:
def Sigma1(x):
    """
    Sigma1(x)
    
    The Sigma1 function from the Secure Hash Standard.

    Performs a series of bitwise rotations and XOR operations on a 
    32-bit unsigned integer.

    Parameters
    x : int
        A 32-bit unsigned integer.

    Returns
    np.uint32
        The result of the Sigma1 function as a 32-bit unsigned integer.
    """

    # Perform the bitwise rotations and XOR operations.
    return np.uint32(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))

**Example Tests:**  Looks at x
- The bits of x are rotated by 6, 11 and 25 positions.
- Each rotated version is combined with XOR.
- The result is a scrambled 32-bit number that spreads the bit information from the original x.

In [65]:
print("Sigma1(0x12345678) = Hex:", 
      hex(Sigma1(0x12345678)), 
      "or Decimal:", Sigma1(0x12345678))

print("Sigma1(0x00000000) = Hex:", 
      hex(Sigma1(0x00000000)),
      "or Decimal:", Sigma1(0x00000000))

print("Sigma1(0xFFFFFFFF) = Hex:", 
      hex(Sigma1(0xFFFFFFFF)),
      "or Decimal:", Sigma1(0xFFFFFFFF))    

Sigma1(0x12345678) = Hex: 0x3561abda or Decimal: 895593434
Sigma1(0x00000000) = Hex: 0x0 or Decimal: 0
Sigma1(0xFFFFFFFF) = Hex: 0xffffffff or Decimal: 4294967295


### Function 6: sigma0(x)

The sigma0 function performs two bitwise right rotations and one logical right shift on the input x by 7, 18 and 3 bits, and combines them using XOR.

This function is used during the message schedule step of the SHA-256 algorithm to expand and mix the message words before compression.

Formula: 
- Secure Hash Standard: $\sigma_0(x) = ROTR^7(x) \oplus ROTR^{18}(x) \oplus SHR^3(x)$
- Python: `sigma0(x) = ROTR(x, 7) ^ ROTR(x, 18) ^ (x >> 3)`

In [66]:
def sigma0(x):
    """
    sigma0(x)
    
    The sigma0 function from the Secure Hash Standard.

    Performs a series of bitwise rotations, shifts, and XOR operations 
    on a 32-bit unsigned integer.

    Parameters
    x : int
        A 32-bit unsigned integer.

    Returns
    np.uint32
        The result of the sigma0 function as a 32-bit unsigned integer.
    """
    # Perform the bitwise rotations and right shift operations.
    return np.uint32(ROTR(x, 7) ^ ROTR(x, 18) ^ (x >> 3))

**Example Tests:** Looks at x

- The bits of x are rotated right by 7 and 18, and shifted right by 3.
- These three versions are combined using XOR.
- The result is a scrambled 32-bit number that helps expand the message words and improve diffusion before the main compression step.

In [67]:
print("sigma0(0x12345678) = Hex:", 
      hex(sigma0(0x12345678)), 
      "or Decimal:", sigma0(0x12345678))    

print("sigma0(0xFFFFFFFF) = Hex:", 
      hex(sigma0(0xFFFFFFFF)), 
      "or Decimal:", sigma0(0xFFFFFFFF))        

print("sigma0(0x00000000) = Hex:", 
      hex(sigma0(0x00000000)), 
      "or Decimal:", sigma0(0x00000000))

sigma0(0x12345678) = Hex: 0xe7fce6ee or Decimal: 3892111086
sigma0(0xFFFFFFFF) = Hex: 0x1fffffff or Decimal: 536870911
sigma0(0x00000000) = Hex: 0x0 or Decimal: 0


### Function 7: sigma1(x)

The Sigma1 function performs two bitwise right rotations and one logical right shift on the input x by 17, 19 and 10 bits, and combines them using XOR.

This function is used during the message schedule step of the SHA-256 algorithm to expand and mix the message words before the main compression phase.

Formula: 
- Secure Hash Standard: $\sigma_1(x) = ROTR^{17}(x) \oplus ROTR^{19}(x) \oplus SHR^{10}(x)$
- Python: `sigma1(x) = ROTR(x, 17) ^ ROTR(x, 19) ^ (x >> 10)`

In [68]:
def sigma1(x):
    """
    sigma1(x)
    
    The sigma1 function from the Secure Hash Standard.

    Performs a series of bitwise rotations and right shifts on a 
    32-bit unsigned integer.

    Parameters
    x : int
        A 32-bit unsigned integer.

    Returns
    np.uint32
        The result of the sigma1 function as a 32-bit unsigned integer.
    """
    # Perform the bitwise rotations and right shift operations.
    return np.uint32(ROTR(x, 17) ^ ROTR(x, 19) ^ (x >> 10))

**Example Tests:** Looks at x
- The bits of x are rotated right by 17 and 19, and shifted right by 10.
- These three versions are combined using XOR.
- The result is a scrambled 32-bit number that helps expand the message words and improve diffusion before the main compression step.

In [69]:
print("sigma1(0x12345678) = Hex:", 
      hex(sigma1(0x12345678)), 
      "or Decimal:", sigma1(0x12345678))

print("sigma1(0xFFFFFFFF) = Hex:", 
      hex(sigma1(0xFFFFFFFF)),
      "or Decimal:", sigma1(0xFFFFFFFF))    

print("sigma1(0x00000000) = Hex:", 
      hex(sigma1(0x00000000)),
      "or Decimal:", sigma1(0x00000000))    

sigma1(0x12345678) = Hex: 0xa1f78649 or Decimal: 2717353545
sigma1(0xFFFFFFFF) = Hex: 0x3fffff or Decimal: 4194303
sigma1(0x00000000) = Hex: 0x0 or Decimal: 0


------------------------------------------------------------------------------------------------------------

## Problem 2: Fractional Parts of Cube Roots

**Purpose:** Generate the 64 round constants (K values) used in SHA-256 by extracting the first 32 bits of the fractional parts of the cube roots of the first 64 prime numbers.

**Reference:** FIPS 180-4, Section 4.2.2, Page 11

In [70]:
def primes(n):
    """ 
    Generate a list of the first n prime numbers. A prime number is a
    number greater than 1 that has no positive divisors other than 1 and itself.

    Parameters
    n : int
        The number of prime numbers to generate.

    Returns
    np.ndarray
        A numpy array containing the first n prime numbers.
    """
    
    # Initialize an empty list to store prime numbers
    primes_list = []
    # Start checking for primes from the first prime number
    num = 2

    # Continue until we have found n prime numbers
    while len(primes_list) < n:
        # Check if num is prime by testing divisibility with known primes 
        for p in primes_list:
            # If num is divisible by any prime p, it's not prime
            if num % p == 0:
                break # Not a prime number
        else:  
            # If no divisors were found, num is prime
            primes_list.append(num)
        num += 1

    # Return the list of prime numbers as a numpy array
    # Numpy is needed for vectorized operations like cube roots
    return np.array(primes_list)


In [71]:
# Test the function by generating the first 64 prime numbers
print("First 64 prime numbers:")
print(primes(64))    

First 64 prime numbers:
[  2   3   5   7  11  13  17  19  23  29  31  37  41  43  47  53  59  61
  67  71  73  79  83  89  97 101 103 107 109 113 127 131 137 139 149 151
 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251
 257 263 269 271 277 281 283 293 307 311]


Calculate SHA-256 Round Constants (K values)
 
The process to derive the K constants:
1. Take the cube root of each prime number
2. Extract the fractional part (digits after the decimal point)
3. Scale by 2³² to convert the first 32 bits to an integer
4. Convert to 32-bit unsigned integer format

In [72]:
# Generate the first 64 prime numbers
prime_list = primes(64)

# Calculate the cube roots of the prime numbers
# np.cbrt is more accurate than using ** (1/3)
cube_roots = np.cbrt(prime_list)

# Extract the fractional parts of the cube roots
# np.floor removes the integer part, leaving only the decimal portion
fracs = cube_roots - np.floor(cube_roots)

# Scale the fractional parts to 32-bit unsigned integers
# Multiply by 2^32 to shift the first 32 bits of the fraction into integer range
# dtype=np.uint32 ensures the result is stored as 32-bit unsigned integers
# This is required for SHA-256 which operates on 32-bit words
fracs32 = np.array(fracs * (2**32), dtype=np.uint32)

# Print during testing the fractional parts of the cube roots of the 
# first 64 primes, scaled to 32-bit unsigned integers
# print(fracs32)


Display the results in hexadecimal format

f"0x{val:08x}" formats each value as:
- 0x: hexadecimal prefix
- 08x: 8 hex digits, zero-padded, lowercase

In [73]:
# Convert the 32-bit unsigned integers to hexadecimal format
hex_values = [f"0x{val:08x}" for val in fracs32]
print("\nHexadecimal values:")
for i, val in enumerate(hex_values, start=1):
    print(val, end=" ")
    if i % 4 == 0:  # Start a new line every 4 values
        print()


Hexadecimal values:
0x428a2f98 0x71374491 0xb5c0fbcf 0xe9b5dba5 
0x3956c25b 0x59f111f1 0x923f82a4 0xab1c5ed5 
0xd807aa98 0x12835b01 0x243185be 0x550c7dc3 
0x72be5d74 0x80deb1fe 0x9bdc06a7 0xc19bf174 
0xe49b69c1 0xefbe4786 0x0fc19dc6 0x240ca1cc 
0x2de92c6f 0x4a7484aa 0x5cb0a9dc 0x76f988da 
0x983e5152 0xa831c66d 0xb00327c8 0xbf597fc7 
0xc6e00bf3 0xd5a79147 0x06ca6351 0x14292967 
0x27b70a85 0x2e1b2138 0x4d2c6dfc 0x53380d13 
0x650a7354 0x766a0abb 0x81c2c92e 0x92722c85 
0xa2bfe8a1 0xa81a664b 0xc24b8b70 0xc76c51a3 
0xd192e819 0xd6990624 0xf40e3585 0x106aa070 
0x19a4c116 0x1e376c08 0x2748774c 0x34b0bcb5 
0x391c0cb3 0x4ed8aa4a 0x5b9cca4f 0x682e6ff3 
0x748f82ee 0x78a5636f 0x84c87814 0x8cc70208 
0x90befffa 0xa4506ceb 0xbef9a3f7 0xc67178f2 


Verify against SHA-256 standard - page 11

Compare the generated values with the official K constants

In [74]:
# Official K values from the SHA-256 standard
K_official = [
    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
    0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
    0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
    0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
    0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
    0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
    0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
    0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
    0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
]

# Verify that the generated K values match the official K values
# Use np.array_equal() to perform element-wise comparison of all 64 values at once
# The official list is converted to a numpy array with dtype=np.uint32 to match fracs32
# This ensures proper comparison (both arrays must have the same type and values)
if np.array_equal(fracs32, np.array(K_official, dtype=np.uint32)):
    print("\nSUCCESS: The generated K values match the official K values from SHA-256 standard.")
else:
    print("\nERROR: The generated K values do NOT match the official K values from SHA-256 standard.")



SUCCESS: The generated K values match the official K values from SHA-256 standard.


------------------------------------------------------------------------------------------------------------

## Problem 3: Padding

**Reference:** [FIPS 180-4 Secure Hash Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf), Sections 5.1.1 (Message Padding) and 5.2.1 (Parsing the Message)

In this problem, I implement the SHA-256 preprocessing stage, which prepares any input message for hashing. This involves padding the message to the required format and splitting it into fixed-size blocks suitable for the SHA-256 compression function. 

**Task:**

Write a [generator function](https://realpython.com/introduction-to-python-generators/) `block_parse(msg)` that takes a `bytes` object and processes it according to the SHA-256 padding rules.

The function must output each 512-bit block one at a time using `yield`.

**Requirements:**
- Accept a [bytes object](https://realpython.com/python-bytes/) called `msg` as input
- Pad the message according to SHA-256 rules:
    1. Append a single '1' bit (0x80 byte)
    2. Pad with zeros until length ≡ 448 (mod 512) bits
    3. Append original message length as 64-bit big-endian integer
- Split the padded message into 512-bit (64-byte) blocks
- **Yield** each block as a bytes object

**Note:** The total padded length must be a multiple of 512 bits (64 bytes).

- **Why padding is needed:** It marks where the real message ends so the hash stays correct and secure.
- **Why the last 64 bits store the length:** To prevent [length extension attacks](https://en.wikipedia.org/wiki/Length_extension_attack) where attackers could append extra data.
- **Why big-endian format:** SHA-256 uses big-endian so all computers process data the same way.
- **Why 512-bit blocks:** SHA-256 works on blocks of exactly 512 bits, so the padded message must fit this size.
- **Why use `yield`:** It gives one block at a time, making the function memory efficient and similar to real hashing implementation.

In [75]:
def block_parse(msg: bytes):
    """
    block_parse(msg)
    
    A generator function that parses and pads a message into 512-bit (64-byte) 
    blocks according to SHA-256 preprocessing (FIPS 180-4, sections 5.1.1 & 5.2.1).

    Padding Structure:
    [Original Message][1 bit][0 bits][64-bit message length]

    After padding, the message length must be a multiple of 512 bits.
    Just before adding the 64-bit length field, the padded message must be
    exactly 56 bytes (448 bits) into a block.

    Parameters
    msg : bytes
        The input message as a byte string.

    Yields
    bytes
        Each 512-bit (64-byte) block as a bytes object.
    """

    # Calculate the original message length in bits
    # SHA-256 must store the exact bit length of the original message
    # len(msg) gives the length in bytes, multiply by 8 to convert to bits
    # This is needed for appending the length at the end of padding
    original_bit_len = len(msg) * 8

    # Calculate the number of zero bytes needed for padding
    # We need total length ≡ 448 mod 512 bits (56 mod 64 bytes)
    # After adding 1 byte (0x80) and before adding 8 bytes (length),
    # we need: (len(msg) + 1 + zero_padding) % 64 == 56
    # Solving: zero_padding = (55 - len(msg)) % 64
    zero_padding = (55 - len(msg)) % 64

    # Create the padded message
    padded = (
        msg +
        # Append the bit '1' (0x80 in hex = 10000000 in binary)
        # This represents a single '1' bit followed by seven '0' bits
        # This marks the end of the actual message
        b'\x80' +
        # Append the required number of '0' bits
        b'\x00' * zero_padding +                       
        # Append the original message length as 64-bit (8-byte) integer
        # This must be in big-endian format (most significant byte first)
        # to_bytes(8, byteorder='big') converts the integer to an 8-byte big-endian order
        # This brings the total to a multiple of 512 bits        
        original_bit_len.to_bytes(8, byteorder='big')  
    )

    # Yield each 512-bit block at a time
    # The padded message now has a length that is a multiple of 64 bytes.
    for i in range(0, len(padded), 64):

        # Extract one 512-bit (64-byte) block from the message
        # padded[i:i+64] gets bytes from position i to i+63 (64 bytes total)
        block = padded[i:i+64]

        # Yield this block to the caller
        # Using `yield` makes this a generator function:
        # - Uses less memory (does not create a full list of blocks)
        # - Only generates blocks when needed
        # - Suitable for streaming or large messages
        yield block

**Example tests:**  
These tests verify that `block_parse` correctly pads messages and splits them into 512-bit (64-byte) blocks:
- **Test 1-3:** Basic messages of varying lengths
- **Test 4:** Boundary case - 55 bytes is the maximum that fits in one block
- **Test 5:** Boundary case - 56 bytes requires two blocks
- **Test 6:** Empty message still produces one padded block

In [76]:
def test_block_parse(msg, description):
    """Helper function to test block_parse with a given message."""
    print(f"=== {description} ===")
    for i, block in enumerate(block_parse(msg), 1):
        print(f"Block {i}: {block.hex()}")
        print(f"Length: {len(block)} bytes")
        print(f"32-bit words: {len(block) // 4}")
        print()

# Test 1: Short message - should produce 1 block
test_block_parse(b"abc", "Test 1: Message = 'abc' (3 bytes)")

# Test 2: Exactly 64 bytes - needs padding, so requires 2 blocks
test_block_parse(b"a" * 64, "Test 2: Message = 'a' * 64 (64 bytes)")

# Test 3: Longer message - should produce 2 blocks
test_block_parse(b"a" * 100, "Test 3: Message = 'a' * 100 (100 bytes)")

# Test 4: Maximum length that fits in 1 block (55 + 1 + 8 = 64)
test_block_parse(b"a" * 55, "Test 4: Message = 'a' * 55 (55 bytes - boundary)")

# Test 5: Minimum length that requires 2 blocks (56 + 1 + 8 > 64)
test_block_parse(b"a" * 56, "Test 5: Message = 'a' * 56 (56 bytes - requires 2 blocks)")

# Test 6: Empty message - should still produce 1 block with padding
test_block_parse(b"", "Test 6: Empty Message")

=== Test 1: Message = 'abc' (3 bytes) ===
Block 1: 61626380000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018
Length: 64 bytes
32-bit words: 16

=== Test 2: Message = 'a' * 64 (64 bytes) ===
Block 1: 61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
Length: 64 bytes
32-bit words: 16

Block 2: 80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200
Length: 64 bytes
32-bit words: 16

=== Test 3: Message = 'a' * 100 (100 bytes) ===
Block 1: 61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
Length: 64 bytes
32-bit words: 16

Block 2: 61616161616161616161616161616161616161616161616161616161616161616161616180000000000000000000000000000000000000000000000000000320
Length: 64 bytes
32-bit words: 16


------------------------------------------------------------------------------------------------------------

## Problem 4: Hashes

**Reference:** [FIPS 180-4 Secure Hash Standard](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf), Section 6.2.2 (SHA-256 Compression Function)

For a step-by-step walkthrough, see [Boot.dev: How SHA-2 Works Step-by-Step](https://blog.boot.dev/cryptography/how-sha-2-works-step-by-step-sha-256/).

In this problem, I implement the SHA-256 compression function that processes a single 512-bit message block and updates the hash value.

**Task:**

Write a function `sha256_hash(current, block)` that calculates the next hash value given the current hash value and the next message block.

**Algorithm Overview (Section 6.2.2):**

1. **Prepare the message schedule W:** 
   Expand the 16 input words of the block into 64 words using the functions  
   `σ₀` and `σ₁` (lowercase sigma).
2. **Initialize working variables:**  
   Load the current hash values into the variables `a` to `h`.
3. **Perform 64 rounds:**  
   For each round, compute:
   - `T1 = h + Σ₁(e) + Ch(e, f, g) + K[t] + W[t]`  
   - `T2 = Σ₀(a) + Maj(a, b, c)`  

   Then rotate the working variables:  
   `h←g, g←f, f←e, e←d+T1, d←c, c←b, b←a, a←T1+T2`

4. **Compute the updated hash state:**  
   Add the working variables back into the previous hash value modulo 2³².

**Dependencies:**
- Logical functions from **Problem 1**:  
  `Ch`, `Maj`, `Sigma0`, `Sigma1`, `sigma0`, `sigma1`
- Round constants from **Problem 2**:  
  `K` (64 SHA-256 constants)
- Block parser from **Problem 3**:  
  `block_parse` (for testing across multiple blocks)

**Output:**

The function should return a NumPy array of eight 32-bit unsigned integers
representing the updated hash state after processing the block.

In [77]:
def sha256_hash(current, block):
    """
    Implements the SHA-256 compression function (FIPS 180-4, Section 6.2.2).

    Parameters
    ----------
    current : np.ndarray
        The current hash state (eight 32-bit words).
    block : bytes
        A 512-bit (64-byte) message block.

    Returns
    -------
    np.ndarray
        The updated hash state (eight 32-bit words).
    """
    # Use the K constants computed in Problem 2
    K = fracs32

    # Step 1: Prepare message schedule W (Section 6.2.2, step 1)
    # Convert block to array of 16 uint32 values (big-endian)
    M = np.frombuffer(block, dtype='>u4')
    
    # Create message schedule array W with 64 entries
    W = np.zeros(64, dtype=np.uint32)

    # First 16 words come directly from the message block
    for t in range(16):
        W[t] = M[t]

    # Remaining 48 words computed using lowercase sigma functions
    for t in range(16, 64):
        W[t] = (int(sigma1(W[t - 2])) + int(W[t - 7]) + int(sigma0(W[t - 15])) + int(W[t - 16])) & 0xFFFFFFFF
    
    # Step 2: Initialize working variables (Section 6.2.2, step 2)
    a = int(current[0])
    b = int(current[1])
    c = int(current[2])
    d = int(current[3])
    e = int(current[4])
    f = int(current[5])
    g = int(current[6])
    h = int(current[7])

    # Step 3: Perform 64 rounds of compression (Section 6.2.2, step 3)
    for t in range(64):
        T1 = (h + int(Sigma1(e)) + int(Ch(e, f, g)) + int(K[t]) + int(W[t])) & 0xFFFFFFFF
        T2 = (int(Sigma0(a)) + int(Maj(a, b, c))) & 0xFFFFFFFF
        h = g
        g = f
        f = e
        e = (d + T1) & 0xFFFFFFFF
        d = c
        c = b
        b = a
        a = (T1 + T2) & 0xFFFFFFFF

    # Step 4: Compute new hash value (Section 6.2.2, step 4)
    return np.array([
        (int(current[0]) + a) & 0xFFFFFFFF,
        (int(current[1]) + b) & 0xFFFFFFFF,
        (int(current[2]) + c) & 0xFFFFFFFF,
        (int(current[3]) + d) & 0xFFFFFFFF,
        (int(current[4]) + e) & 0xFFFFFFFF,
        (int(current[5]) + f) & 0xFFFFFFFF,
        (int(current[6]) + g) & 0xFFFFFFFF,
        (int(current[7]) + h) & 0xFFFFFFFF,
    ], dtype=np.uint32)

### Initial Hash Value

The initial hash value H⁽⁰⁾ consists of the first 32 bits of the fractional parts of the **square roots** of the first 8 prime numbers ([Section 5.3.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf)).

In [78]:
# Initial hash value H(0) - Section 5.3.3
# First 32 bits of fractional parts of square roots of first 8 primes
H_initial = np.array([
    0x6a09e667,
    0xbb67ae85,
    0x3c6ef372,
    0xa54ff53a,
    0x510e527f,
    0x9b05688c,
    0x1f83d9ab,
    0x5be0cd19
], dtype=np.uint32)

### Complete SHA-256 Function

This function combines `block_parse` from Problem 3 and `sha256_hash` to compute the full SHA-256 hash of any message.

In [79]:
def sha256(msg: bytes) -> str:
    """
    Computes the SHA-256 hash of the input message.

    Parameters
    ----------
    msg : bytes
        The input message as a byte string.

    Returns
    -------
    str
        The SHA-256 hash as a 64-character hexadecimal string.
    """
    # Start with the initial hash value
    # H = current hash state
    H = H_initial.copy()

    # Process each 512-bit block
    for block in block_parse(msg):
        H = sha256_hash(H, block)

    # Convert final hash state to hexadecimal string
    return ''.join(f'{word:08x}' for word in H)


### Testing Against Known Values

Verify the implementation against [known SHA-256 test vectors](https://www.di-mgt.com.au/sha_testvectors.html).

In [80]:
# Test 1: "abc"
result = sha256(b"abc")
expected = "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
print(f"SHA-256('abc'):")
print(f"  Result:   {result}")
print(f"  Expected: {expected}")
print(f"  Match: {result == expected}")

# Test 2: Empty string
result = sha256(b"")
expected = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
print(f"\nSHA-256(''):")
print(f"  Result:   {result}")
print(f"  Expected: {expected}")
print(f"  Match: {result == expected}")

# Test 3: Longer message (requires 2 blocks)
result = sha256(b"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")
expected = "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1"
print(f"\nSHA-256('abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq'):")
print(f"  Result:   {result}")
print(f"  Expected: {expected}")
print(f"  Match: {result == expected}")

SHA-256('abc'):
  Result:   ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
  Expected: ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad
  Match: True

SHA-256(''):
  Result:   e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  Expected: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  Match: True

SHA-256('abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq'):
  Result:   248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1
  Expected: 248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1
  Match: True


------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

## End