2009 WASE International Conference on Information Engineering
Design and Implementation of Reconfigurable Security Hash Algorithms
based on FPGA
LI Miao, XU Jinfu, YANG Xiaohui, YANG Zhifeng
Institute of Electronic Technology, Information Engineering University,
ZhengZhou, China
E-mail: limiao830226@yahoo.cn
Abstract—Today, security is a topic which attacks the great
interest of researchers. Many encryption algorithms have been
investigated, and developed in the last years. Hash functions
are important security primitives used for authentication and
data integrity. The reconfigurable cryptographic chip is an
integrated circuit that is designed by means of the method of
reconfigurable architecture, and is used for encryption and
decryption. It can implement many different cipher algorithms
flexibly and quickly, and be used in many fields. This work is
related to hash functions FPGA implementation. Five different
hash functions SHA-1, SHA-224, SHA-256, SHA-384 and
SHA-512 are studied. A reconfigurable architecture is
proposed for the implementation of all of them in the same
hardware module. Finally, it gives the implementation results
based on the FPGA of the family of Stratix II of Altera
Corporation. The proposed system reaches throughput values
equal to 727.853Mbps for SHA-1, 909.816Mbps for SHA-
224/256, and 1.456Gbps for SHA-384/512 respectively.
Reconfigurable cryptographic chip, SHA-1/224/256/384/512,
FPGA
I. INTRODUCTION
NIST (The National Institute of Standards and
Technology) standardized a 160-bit hash function SHA
(Secure Hash Algorithm) for the use with a digital signature
algorithm DSS (Digital Signature Standard) in 1993. Soon
after that, a way was found to cause collisions in the
compression function by analyzing the message expansion
function. In order to counter this, SHA was modified to
SHA-1. In 2001, NIST standardized the new block cipher
AES to replace the DES that had been used for more than 20
years. AES supports three key lengths: 128, 192, and 256
bits, whose security levels are higher than SHA-1. In order to
match these security levels, NIST developed three new hash
functions SHA-256, -384, and -512 whose hash value sizes
are 256, 384, and 512 bits respectively. These hash functions
are standardized with SHA-1 as SHS (Secure Hash
Standard), and a 224-bit hash function, SHA-224, based on
SHA-256, was added to SHS in 2004[1].
Reconfigurable crypto chip[2] deals with data with
cryptographic algorithms based on reconfigurable design
idea. Its logic circuits can be reorganized to form different
circuit structures and implement different functions, so as to
match different cryptographic algorithms. Moreover,
reconfigurable architecture is based on the fact that some
hardware resources can be reused in different applications, of
which it consumes are less than the sum of that application
978-0-7695-3679-8/09 $25.00 © 2009 IEEE 381
DOI 10.1109/ICIE.2009.278
specific chip takes for every algorithm separately. The
advantage of reconfigurable crypto chip combines flexibility
of implementing many cryptographic algorithms and ease of
upgrade with the improved physical security and
performance that characterize hardware implementations.
The purpose of this paper is to present a hardware
implementation of the above five hash algorithms, with the
scope of reconfigurable design of computation. We have
devised means to reach the scope that, to our knowledge, are
new and efficient. We don’t yet reach the level of a physical
layout of the circuit, having proved the functionality and the
efficiency at the level of simulation and hardware synthesis.
This paper is organized as follows: in Section II the five
hash algorithms SHA-1, SHA-224, SHA-256, SHA-384 and
SHA-512 are introduced. In the next section the
reconfigurable design for these hash functions is presented in
detail. The implementation results are given in Section IV.
Finally, conclusions are discussed in the last section.
II. SHA-1/224/256/384/512 ALGORITHM
SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512[3]
are iterative, one-way security hash functions that can
process a message to produce a condensed representation.
When a message of any length less than 264 bits (for SHA-
1/224/256) or less than 2128 bits (for SHA-384/512) is input
to a hash algorithm, the result is an output called a message
digest. The message digests range in length from 160 to 512
bits, depending on the algorithms. Secure hash algorithms
are typically used with other cryptographic algorithms, such
as digital signature algorithms and keyed-hash message
authentication codes, or in the generation of random numbers
(bits).
The five hash algorithms are called secure because, for a
given algorithm, it is computationally infeasible 1) to find a
message that corresponds to a given message digest, or 2) to
find two different messages that produce the same message
digest. Any change to a message will, with a very high
probability, result in a different message digest. This will
result in a verification failure when the secure hash algorithm
is used with a digital signature algorithm or a keyed-hash
message authentication algorithm. Given these properties,
the hash calculation becomes an essential service to be
provided in electronic mail, e-commerce, financial
transactions, and software distribution.
Each algorithm can be described in two stages:
preprocessing and hash computation. Preprocessing involves
padding a message, parsing the padded message into m-bit
blocks, and setting initialization values to be used in the hash
computation. The hash computation generates a message
schedule from the padded message and uses that schedule,
along with functions, constants, and word operations to
iteratively generate a series of hash values. The final hash
value generated by the hash computation is used to
determine the message digest. Fig. 1 shows the single step of
SHA-1 and SHA-224/256/384/512 operation [4].
III. RECONFIGURABLE DESIGN
For SHA-1, SHA-224, SHA-256, SHA-384 and SHA-
512, the constant Kt storage module, hash value shift
registers, basic function operation module, Wt generation
circuit and CSA (Carry Save Adder) in the data-path are all
reused components. Our design makes full use of the
reconfigurable character of FPGA to implement these
reconfigurable modules.
From analysis of the constants Kt and the initialization
hash values of the five algorithms, we find that only storing
constants of 4 32-bit for SHA-1 and 80 64-bit for SHA-
384/512, and initialization values of 5 32-bit for SHA-1 and
16(8+8) 64-bit for SHA-384/512 can make the constant Kt
storage module and hash value shift registers reusable and
saving a lot of storage space.
Ch ( x, y, z ) , Maj ( x, y, z ) of SHA-1 and SHA-
224/256/384/512 are the same in structure, but only the bit
lengths of parameters are different. The other 2 round
functions of SHA-1 are the same, so they can be come down
to one function Parity ( x, y, z ) . The other 4 basic
( 256 ) ( 256 )
functions ∑ 0 ( x ) , ∑1 ( x ) , σ 0( 256) ( x )
SHA-224/256/384/512 are structural sameness, only the bit
lengths of parameters and shift numbers are different.
Through the signal “Sel”, we can choose corresponding
functions, bit lengths of parameters and shift numbers of
different algorithms to implement reconfigurable design.
(a)
∑1
∑0
(b)
Figure 1. Single step of SHA-1(a), SHA-224/256/384/512(b) Operation
We will present the reconfigurable modules of Wt
generation circuit and CSA in the data-path in detail.
A. Wt Unit architecture
According to the algorithms, in the first 16
steps, Wt = M t , the remaining Wt’s depend on different
algorithms. For SHA-1 the remaining Wt can be figured out
and σ 1( by formula
256 )
( x ) of
Wt = (Wt − 3 ⊕ Wt −8 ⊕ Wt −14 ⊕ Wt −16 ) <<< 1 (1)
and for SHA-224/256/384/512 the remaining Wt can be
calculated by formula
Wt = σ 1 (Wt − 2 ) + Wt − 7 + σ 0 (Wt −15 ) + Wt −16
(2)
SHA-1/384/512 have 80 Wt’s, and SHA-224/256 have 64
Wt’s. Wt’s of SHA-1/224/256 are 32-bit, and those of SHA-
384/512 are 64-bit.
The internal structure of the Wt unit for SHA-1, SHA-
224, SHA-256, SHA-384 and SHA-512 consists of shift
32 64
register, multiplexers, addition modulo 2 /2 module,
XOR module, circular shift circuit and Wt register[5]. By
using the multiplexers, the 16 64-bit registers reconfigurable
computation is realized. For the first 16 step values, the
select control to the multiplexer selects the 32/64-bit word
from the 512/1024-bit data block as input to the first register
and the Wt register. For t > 16 the input is a function on
previous value in the registers.
32 64
Optimize addition modulo 2 /2 module of SHA-
224/256/384/512 further. We adopt coupling structure of
two levels of CSA and one CLA(Carry Lookahead Adder)
to reduce original delay of nine levels of CSA(delay of one
CLA is equal to that of three levels of CSA) to five levels,
which improving the speed of Wt generation circuit. Fig. 2
presents Wt architecture of SHA-1/224/256/384/512
adopting CSA.
382
 σ0 σ1

Figure 2. SHA-1/224/256/384/512 Wt architecture adopting CSA

Moreover, the logic functions and input registers the five

B. Data-path implementation algorithms used are not the same, so it needs to calculate
In this section, the 8 64-bit registers (A, B, C, D, E, F, G, different function values in advance, and then enter CSA
H) to hold the initial, intermediate and final results of the based on the selected algorithm.
hash values are designed. For SHA-1, 5 of 8 64-bit registers The sequential addition unit we design in this paper
(A, B, C, D, E, H) are used, of which the low 32-bit are adopts 6 64-bit CSAs, 3 64-bit CLAs and 5 additional
needed and the high 32-bit are set 0’s. For SHA-224 and multiplexers to compute At+1 and Et+1 at the same time.
SHA-256, the low 32-bit of 8 64-bit registers are used for This architecture realizes the reuse of CSA to different
saving hash values, and the high 32-bit are set 0’s. For algorithms and different registers, and saves hardware
SHA-384 and SHA-512, the 64-bit of 8 registers are fully resources efficiently. Fig. 3 is the sequential addition unit
utilized. When the signal “RESET” is available, the adopting CSA.
registers are initialized, depending on different algorithms.
The key of designing the data-path is the calculation of IV. IMPLEMENTATION RESULTS
A register for every step. For SHA-1, the new data A is FPGA is a reconfigurable device which is an attractive
calculated by the following equation: option for hardware implementation as it provides the
At +1 = (( At <<< 5) + f t ( Bt , Ct , Dt ) + Et + Wt + K t ) mod 232 flexibility of dynamic system evolution as well as the ability
(3) to easily implement a broad range of algorithms. FPGA has
For SHA-224 and SHA-256, the equation is the potential for fast, low lost, reprogramming and
At +1 = ( H t + ∑1 ( Et ) + Ch( Et , Ft , Gt ) + K t + Wt experimental testing of a large number of various
(4) architectures and revised versions of the same
+ ∑ 0 ( At ) + Maj ( At , Bt , Ct )) mod 232 architecture[7].
And for SHA-384 and SHA-512, the equation is
At +1 = ( H t + ∑1 ( Et ) + Ch( Et , Ft , Gt ) + K t + Wt
(5) Kt Wt H G FE B CD A
+ ∑ 0 ( At ) + Maj ( At , Bt , Ct )) mod 264
The operands At, Bt, Ct, Dt, Et, Ft, Gt, Ht represent 512-
Ch Ch ∑1
<<<5 Maj ∑0
bit buffer value ABCDEFGH, Wt and Kt are constants at t Sel
time. At+1 represents value of register A at t+1 time[5]. CSA
Sel Sel
The critical path is to calculate At+1. It needs to
complete multiple multivariable logic functions and CSA
multiple sequential 32/64-bit additions. The calculation of
At+1 includes nonlined functions, addition and shift CSA
operations. Nonlined function is just switching between
inputs and outputs, only needs combinational logic circuits
CSA CSA
of little delay. The shift operation only takes routing
resources and also has little effect on the speed of the circuit. CLA CSA
The bottleneck to speed of execution of the five algorithms
is the time taken to perform additions. To mitigate loss of Sel CLA CLA
speed of execution due to addition of values in each single
step round shown in Fig. 1, a CSA is implemented to Et+1 Sel
increase the speed of execution[6].
At+1
SHA-1 executes 5 32-bit sequential addition, while
SHA-224/256 execute 7 32-bit sequential addition, and
SHA-384/512 execute 7 64-bit sequential addition. Figure 3. Sequential Addition Unit adopting CSA

383
 TABLE I. SHA-1/224/256/384/512 IMPLEMENTATION RESOURCES AND PERFORMANCES
Maximum Frequency Resource Throughput(Mbps)
Device
(MHz) ALUT registers Pin SHA-1 SHA-224/256 SHA-384/512
EP2S15F484C3 105.664 5887 2124 136 727.853 909.816 1455.706

TABLE II. COMPARISON OF SHA-1/224/256/384/512 AND FIVE ALGORITHMS RESOURCES UTILIZATION

Algorithm
SHA-1/224
SHA-1 SHA-224 SHA-256 SHA-384 SHA-512
/256/384/512
Resource

ALUT 1131 2150 2150 4289 4316 5887

registers 874 1066 1066 2129 2126 2124

Pin 69 69 69 133 133 136

Maximum Frequency
171.821 136.780
(MHz)
After accomplishing the architectural design, each
algorithm is implemented as an RTL description using
Verilog language. The design process continues with the
compile using Quartus II 6.0, the simulation using
Modelsim SE 6.0c and the synthesis using Simplify Pro
8.1[8]. Finally, Altera’s Stratix II[9] family is chosen as the
target FPGA. The implemented design is verified to be FIPS
180-3 compliant. The feature of the designed reconfigurable
SHA-1/224/256/384/512 cryptographic chip is shown in
Table I.
The implementation of SHA-1/224/256/384/512
algorithms with the thought and method of the
reconfigurable architecture can reduce hardware resources
efficiently. In the case of same architecture of the
reconfigurable SHA-1/224/256/384/512 design, the hardware
resources needed in SHA-1/224/256/384/512, SHA-1, SHA-
224, SHA-256, SHA-384 and SHA-512 cryptographic chip
are compared in Table II. The selected target FPGA is
EP2S15F484C3 of Stratix II.
V. CONCLUSIONS
In this paper, a new reconfigurable architecture to reduce
the chip size by using the reusable blocks has been
presented. A reconfigurable SHA-1/224/256/384/512
cryptographic chip is designed and mapped in FPGA. The
proposed architecture can be reconfigured at runtime to
perform one of the five hash functions. The results of our
work show that the proposed reconfigurable architecture has
a balance between area and throughput.
The reconfigurable cryptographic chip is innovative. It
overcomes the disadvantage of specific cryptographic chip
that can only implement given cryptographic algorithm, and
users can select needed algorithms or design new algorithms
flexibly and expediently. This can improve the flexibility,
safety and expansibility of cryptographic system well, and
143.164 128.584 127.535 105.664
provide a good solution to the practical IPSEC chip
implementation through the performance results. The
reconfigurable cryptographic chip can be widely applied for
financial and other electronic transactions as well as
authentication purposes in a number of communication
protocols. At the same time, a good trend for researching in
saving hardware resources is also presented in this paper.
REFERENCES
[1] Akashi Satoh, Tadanobu Inoue. ASIC-Hardware-Focused
Comparison for Hash Functions MD5, RIPEMD-160, and
SHS. Proceedings of the International Conference on
Information Technology: Coding and Computing (ITCC’05),
2005.
[2] Renchrr M, Hutchincs B L. Automated target recognition on
SPLASH2. IEEE Symposium on Field-Programmable Custom
Computing Machine, 1997: 192-200.
[3] National Institute of Standards and Technology. Announcing
the Secure Hash Standard. FIPS 180-3, 2007 June.
[4] W.Stallings. Cryptography and Network Security[M]. 1999
Prentice-Hall, Inc. Upper Saddle River, New Jersey 07458.2nd
Edition
[5] Yang Xiaohui, Dai Zibin, Liu Yuanfeng & Wang Ting.
Researching and implementation of reconfigurable Hash chip
based on FPGA. Journal of Systems Engineering and
Electronics, Vol. 18, No. 1, 2007, pp. 183～187.
[6] Behrooz Parhami. Computer arithmetic: algorithms and
hardware design. Oxford University Press, 1999.
[7] Gaj K, Chodowiec P. Comparison of the hardware
performance of the AES candidates using configurable
hardware. http://csrc.nist .gov/encryption/aes/round2/
[8] Diez J M. Hash algorithms for cryptographic protocols: FPGA
implementations. 10th Telecommunications Forum
TELFOR’2002, Belgrade, Yugoslavia, 2002:26-28.
[9] Altera Corporation. Stratix II Architecture.
http://www.Altera.com. 2004.

384