3

I am trying to obtain a circuit that computes the SHA256 hash for an input message that is greater than 512 bits.

I understand how the message is to be padded (we append a 1 and then some zeroes, and then the last 64 bits contain the length of the original message and so on).

After I do the padding, I have two 512-bit blocks.

I want to use the circuit (for the compression function) that is provided here:

https://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/

The first 512 wires of the circuit are the input; the last 256 wires are the output. I think I know how to use the circuit for the first block. I can simply feed my first 512-bit block into the first 512 wires of the circuit.

But I am not sure how to proceed for the second block. In particular I need to update the h0, h1, ... , h7 values but don't know how to as I cannot identify where the wires corresponding to them are in the circuit.

Any help would be much appreciated.

fgrieu
  • 149,326
  • 13
  • 324
  • 622
MSJ
  • 61
  • 4

1 Answers1

1

One can't use the circuit exactly as given.

To build a two-blocks SHA-256, the second round must be fed as input both the second 512-bit (padded) block, and the 256-bit output by the first round. The final hash is then the 256-bit output of the second round.

For the first round, and in the circuit given, the only variable inputs are the 512-bit first block; the other 256 input bits are always set to a constant defined by SHA-256, equal to 0x6a09e667bb67ae853c6ef372a54ff53a510e527f9b05688c1f83d9ab5be0cd19, and thus these 256 input bits are missing in the equations given.

I guess you'll have to rewrite (or get from another source) the equations of a SHA-256 round from the definition, and then check that when the 256-bit input from the previous round is set to the right constant, your work is equivalent to the equations given.

fgrieu
  • 149,326
  • 13
  • 324
  • 622