1. Field
Embodiments relate to processors. In particular, embodiments relate to processors to execute instructions to process the BLAKE secure hashing algorithm.
2. Background Information
Cryptographic hash functions are widely used in electronic devices. A message or input data may be input to the cryptographic hash function, the message or input data may be processed, and a cryptographic hash may be output. The cryptographic hash is sometimes referred to as a message digest, a digest, or a hash. The cryptographic hash functions generally are such that a change to the input data will also change the output hash. Cryptographic hash functions are commonly used for security, authentication, verification, or identification. Examples of particular applications of cryptographic hash functions include, but are not limited to, use in generating digital signatures, message authentication codes, verifying the integrity of files or messages, identifying files or data, and pseudorandom generation and key derivation.
BLAKE is a family of hash functions or algorithms that are among five finalists to be selected for SHA-3 by the National Institute of Standards and Technology (NIST). BLAKE is described in SHA-3 proposal BLAKE, by Jean-Jean-Philippe Aumasson et al., version 1.3, Dec. 16, 2010. BLAKE includes four hash functions known as BLAKE-224, BLAKE-256, BLAKE-384, and BLAKE-512. BLAKE-256 is a 32-bit version of the algorithm. BLAKE-224 is derived from BLAKE-256 using different initial values, different padding, and truncating the output or digest from 256-bits to 224-bits. BLAKE-512 is a 64-bit version of the algorithm. BLAKE-384 is derived from BLAKE-512 using different initial values, different padding, and truncating the digest from 512-bits to 384-bits. Table 1 lists properties of the four BLAKE hash functions.
TABLE 1HashWord Salt Message FunctionSizeSizeSizeBlockDigestBLAKE-22432128512<264224BLAKE-25632128512<264256BLAKE-384642561024 <2128384BLAKE-512642561024 <2128512
FIG. 1 is a block diagram illustrating the construction of the BLAKE secure hashing algorithm 100. The construction is that of a local wide-pipe and includes an initialization stage 101, followed by a number of rounds 102, followed by a finalization stage 103. The iteration mode of BLAKE is HAIFA. Its compression function depends on an optional salt and a counter representing the number of bits hashed so far. In the initialization stage, an inner state is initialized from an initial chain value, an optional salt, a counter, and constants. Following the initialization stage, a number of message-dependent rounds are employed and a different message representing the data to be hashed is introduced into each of the rounds. In the illustration, a first round 102-1 receives a first message, a second round 10202 receives a second message, and an Nth round 102-N receives an Nth message. BLAKE permits a variable number of rounds. Often, at least ten or more rounds are recommended, although this is an implementation choice. In the finalization stage 103, the intermediate hash is finally compressed to return the next chain value. The last chain value representing the final hash.
FIG. 2 illustrates a BLAKE hashing algorithm state matrix 104. The state matrix is used during the rounds of the BLAKE hashing algorithm. The state matrix includes a four row-by-four column (4×4) matrix of state words. These state words are labeled from left-to-right and top-to-bottom as v0-v15. In BLAKE-224 and BLAKE-256 each of these words is 32-bits. In BLAKE-384 and BLAKE-512 each of these words is 64-bits.
FIG. 3 is a block diagram illustrating that a round 302 of the BLAKE secure hashing algorithm includes a column step 305 followed by a diagonal step 306. The term “step” is used in the BLAKE SHA-3 proposal, and is used herein for consistency, rather than to imply a “step for performing” interpretation. In the column step, all four columns are updated by application of a BLAKE compression G function. The BLAKE compression G function will be referred to herein simply as the G function. The G function takes four input state words (i.e., a, b, c, d), as in the expression G(a, b, c, d), and produces four corresponding output updated state words (i.e., a′, b′, c′, d′).
In a given round of BLAKE, the column step involves four instances of the G function (G0-G3), each evaluated with state words from a different one of the four columns of the state matrix. G0 is evaluated with v0, v4, v8, and v12. G1 is evaluated with v1, v5, v9, and v13. G2 is evaluated with v2, v6, v10, and v14. G3 is evaluated with v3, v7, v11, and v15. The subsequent diagonal step of the same round involves an additional four instances of the G function (G4-G7) each evaluated with state words from a different one of four (in some cases disjoint) “diagonals” of the state matrix. The state matrix used by the diagonal step is the updated state matrix resulting from the column step. G4 is evaluated with v0, v5, v10, and v15. G5 is evaluated with v1, v6, v11, and v12. G6 is evaluated with v2, v7, v8, and v13. G7 is evaluated with v3, v4, v9, and v14. The algorithm iterates between column steps and diagonal steps for as many rounds as are used in the particular implementation. Each of these G functions involves a number of instructions.