Journal of Information Assurance and Security 2 (2008) 147-158
Architectural design features of a programmable
high throughput reconfigurable SHA-2 Processor
Medien Zeghid1,2, Belgacem Bouallegue1,2, Mohsen Machhout1, Adel baganne2 and Rached Tourki1
1
Electronics and Micro-Electronics Laboratory, Faculty of Sciences of Monastir,
Monsatir 5000, Tunisia,
[email protected]
2
Laboratoire d'Electronique des Systèmes TEmps Réel (LESTER), University of South Brittany,
BP 92116 – 56321, Lorient, France.
[email protected]
Abstract: The continued growth of both wired and wireless
communications has triggered the revolution for the generation of
new cryptographic algorithms. Hash functions are common and
important cryptographic primitives, which are very critical for data
integrity assurance and data origin authentication security services.
Many hash algorithms have been investigated and developed in the
last years. This work is related to hash functions FPGA
implementation. SHA-2 hash family is a new standard in the
widely used hash functions category. An architecture and the
FPGA implementation of this standard are proposed in this work.
We propose a reconfigurable SHA-2 processor in the sense that it
performs the two hash functions (256, and 512) of the SHA-2
standard for extended signature authentication. This paper
investigates optimizations techniques that have recently been
proposed in the literature. These techniques consist mostly in
operation rescheduling and hardware reutilization, allowing a
significant reduction of the critical path while the required area also
decreases. As several 64-bit adders are needed in SHA-512 hash
value computation, investigations on the adders implementations
on FPGAs are analyzed and developed, with a view to reduce the
chip area. The proposed processor is compared with the
implementation of each hash function in a separate FPGA device to
demonstrate that our architecture achieves a performance
comparable to separate implementations while requiring much less
hardware. Two types of FPGAs are evaluated in order to produce
realistic results. Speed/area results from this processor are analyzed
and are shown to demonstrate that our designs achieves a favorably
performances with other FPGA-based implementations. A fastest
data throughput is achieved by our optimized design.
Keywords: Hash Function Standard, Signature, SHA-2 standard,
FPGA, Reconfigurable Processor.
1. Introduction
Cryptography serves a great number of scopes and ensures
different types of security due to alternative encryption
schemes. Among them we can mention for instance, the bulk
encryption, the message authentication and the data
integrity. The symmetric ciphers, the asymmetric encryption
algorithms and hash functions support each one of the above
types respectively [1]. Hash functions operate at the root of
many popular cryptographic methods in current use, such as
the Digital Signature Standard (DSS), Transport Layer
Security (TLS) and Internet Protocol Security (IPSec)
protocols. They are also a basic building block of secret-key
Message Authentication Codes (MACs), including the
Received November 18, 2007.
American federal standard HMAC [2]. Other popular
applications of hash functions include numerous random
number generation, fast encryption, all-or-nothing
transforms, and password storage and verification [3]–[4].
They are widely spread and many wireless protocols, such
as WAP [5] and Hiperlan [6] have specified security layers
and cryptographic schemes based on them.
The purpose of a hash function is to produce a
‘‘fingerprint’’ of a file, message, or other block of data. A
hash value h is generated by a function H of the form
h=H(M), where M is a variable-length message and H(M) is
the fixed-length hash value. In the cryptographic hash
function, a message of arbitrary length padded and broken
into blocks is fed sequentially to a compression function
which converts a fixed-length input (current message block)
to a fixed-length output (hash value). The hash values of
individual blocks are used iteratively by the compression
function to find the final hash value, referred to as message
digest. A hash function provides a unique relationship
between the input message and the hash value and hence,
represents a longer message in a concise way. The current
American Federal Information Processing Standard, FIPS
180-2, recommends the use of one of the four hash functions
developed by National Security Agency (NSA) and
approved by NIST (National Institute of Standard and
Technology). By far the most widely used of these four
functions is SHA-1 (Secure Hash Algorithm-1), a revised
version of the standard algorithm introduced in 1993 [7].
The best attack against this algorithm is in the range of 280
operations, which makes its security equivalent to the
security of Skipjack and the Digital Signature Standard
(DSS). After introducing a new secret-key encryption
standard, AES (Advanced Encryption Standard), with three
key sizes, 128, 192, and 256 bits, the security of SHA-1 did
not any longer match the security guaranteed by the
encryption standard [8]. Therefore, an effort was initiated by
NSA to develop three new hash functions, with the security
equivalent to the security of AES with 128, 192, and 256 bit
key respectively. This effort resulted in the development and
standardization of three new hash functions referred to as
SHA-256, SHA-384, and SHA-512 [9]. Since then, SHA-
224 has been added to the standard, forming the ‘SHA-2’
family of hash functions. All four standardized algorithms
1554-1010 $03.50 © Dynamic Publishers, Inc
 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor 148

have a similar internal structure and operation. All of them determination of a message’s integrity: any change to the
are based on sequential processing of consecutive blocks of message will result in a different produced message digest,
data, and therefore cannot be easily speed up by using with a very high probability.
pipelining or parallel processing (at least when only one
stream of data is being processed). Table 1. Functional characteristics of four hash functions
In other hand, in our days, reconfigurable computing is a
very attractive method for the hardware implementation of Hash SHA1 SHA-2
systems/algorithms [10]–[11]–[12]. Reconfigurable systems functions
256 384 512
can change their “true” hardware configuration and can
Size of hash
support multi-operations modes. 160 256 384 512
value (n)
In this paper we presented ultra high speed architecture for
Complexity of
the integration of SHA-256 and SHA-512 hash functions. 280 2128 2192 2256
the best attack
The proposed system is reconfigurable in the sense that Message size < 264 < 264 < 2128 < 2128
performs efficiently for both hash functions upon the user Message block
needs, it performs the two SHA-2 hash functions (256, 512). 512 512 1024 1024
size (m)
The architecture design is based on a pipelined methodology Word size 32 32 64 64
of 2-stages. This paper deals with three issues, namely, Numbers of
proposing architecture for reconfigurable implementation of 5 8 8 8
words
a hash function on FPGA, optimizing the architecture and Digest rounds
comparing the performance metrics of different FPGA, that 80 64 80 80
number
implement a SHA-2 function and single chip Constants Kt
implementation of SHA-2 family hash functions [13]. 4 64 80 80
number
The remaining paper is organized in the following manner:
in section 2 both SHA-256 and SHA-512 hash functions are Each hash function operation can be divided in two stages:
described briefly. In the next section, the proposed system (1) pre-processing and (2) hash computation. Pre-processing
presented and the internal components of this architecture involves padding the input message, parsing the padded data
are described in detail. The synthesis results of the FPGA into a number of m-bit blocks (m = 512 or 1024 bit) and
implementation are given in the next section. Comparisons setting the appropriate initial values, which are used in the
with other related works are also presented in section 5. hash computation. The hash computation uses functions
Finally, conclusions and observations are discussed in applied to the padded data, constants and word logical and
section 6. algebraic operations, to generate iteratively a series of hash
values. After a specified number of transformation rounds
2. Secure Hash Standard 2 (SHA-2) the produced hash value is equal to the message digest.
Functional Comparison These latter ranges in length from 256 to 512 bits,
depending each time on the selected hash function. The
In 1993 the Secure Hash Standard (SHA) was first published
following describes the SHA-2 algorithm applied to the
by the NIST. In 1995 this algorithm was reviewed in order
SHA-256 hash function, followed by the description of the
to eliminate some of the initial weakness and in 2001 new
SHA-512 hash function, which differs mostly in the size of
Hashing algorithms were proposed. This new family of
the operands, using 64-bit words instead of 32-bit.
hashing algorithms known as SHA-2, use larger digest
messages, making them more resistant to possible attacks
and allowing them to be used with larger blocks of data, up 2.1 SHA-256 hash functions
to 2128 bits, e.g. in the case of SHA-512. The SHA-2 SHA-256 calculates a 256-bit digest for an arbitrary b-bit
hashing algorithm is the same for the SHA-256, SHA-224, message and it consists of the following steps.
SHA-384 and SHA-512 hashing functions, differing only in • Pre-Processing:
the size of the operands, the initialization vectors, and the The b-bit message is padded so that a single 1-bit is added
size of the final digest message. into the end of the message. Then, 0-bits are added until the
All descriptions of SHA-256, SHA-384 and SHA-512 length of the message is congruent to 448 modulo 512. A
algorithms can be found in the official NIST standard [9]. 64-bit representation of b is appended to the result of the
Table 1 shows a comparative study in terms of function padding. Thus, the resulted message is a multiple of 512
characteristics of four hash functions. bits. This message is denoted here as M(i). M(i) message
The security of these hash functions is controlled by the size blocks are passed individually to the message expander.
of their outputs, referred to as hash values, n. The definition Which are used to generate the message schedule Wt’s.
of SHA-384 is almost identical to SHA-512, with the • Message Expansion:
exception of a different choice of the initialization vector The functions in the SHA-256 algorithm operate on 32-bit
and a truncation of the final 512-bit result to 384 bits. All words, so each 512-bit M(i) block from the Pre-Processing
functions have a very similar internal structure and process stage is viewed as 16 32-bit blocks denoted Mt(i) , 0 ≤ t ≤
each message block using multiple rounds. The number of 15. The message scheduler takes each M(i) and expands it
rounds for SHA-384 and SHA-512 is the same and 20% into 64 32-bit Wt blocks, according to the equations:
smaller in SHA-256. These hash functions enable the
149 Zeghid et al.

σ 0( x) = ROTR7 ( x) ⊕ ROTR18 ( x) ⊕ SHR 3 ( x) (1) The hash computation step uses four logical functions: Ch,
σ 1( x) = ROTR17 ( x) ⊕ ROTR 19 ( x) ⊕ SHR10 ( x) (2) Maj, Σ0, and Σ1. The result of each new function is either a
new 32-bit.
⎧ W j = M j (i ) for j = 0 to 15 ;
⎪ Ch( x, y, z ) = ( x • y ) ⊕ (− x • z ) (5)
⎨ (3)
⎪ W =σ W
⎩ j 1 ( j −2 + )
W j −7 + σ 0(W j −15)+ W j −16 for j = 16 to 6 3 Maj ( x, y, z ) = ( x • y ) ⊕ ( x • z ) ⊕ ( y • z ) (6)
Σ 0 ( x ) = ROTR 2 ( x ) ⊕ ROTR13 ( x) ⊕ ROTR 22 ( x ) (7)
Σ 1 ( x) = ROTR 6 ( x) ⊕ ROTR11 ( x) ⊕ ROTR 25 ( x) (8)
ROTRy(x) stands for rotation of x by y positions to the
right, whilst the function SHRy(x) denotes the right shifting And the inputs denoted Kt are 64 32-bit constants, specified
of x by y positions. All additions in SHA-256 algorithm are in [9]. After 64 iterations of the compression function, an
modulo 232. intermediate hash value H(i) is calculated:
• hash computation:
H0(i) = A + H0(i-1) ; H1(i) = B + H1(i-1) ; H2(i) = C + H2(i-1);
SHA-256 requires 64 cycles to produce the 256-bit message
H3(i) = D + H3(i-1) ; H4(i) = E + H4(i-1) ; H5(i) = F + H5(i-1) ;
digests. Each cycle requires the previous round’s results,
H6(i) = G + H6(i-1) ; H7(i) = H + H7(i-1).
Wt, as well as the constant value Kt. The core utilizes eight
32-bit words: A-H, which are initialized to predefined The SHA-256 compression algorithm then repeats and
values H0(0) –H7(0), (following the guidelines of the begins processing another 512-bit block from the message
official NIST standard in [9]) at the start of each call to the padder. After all N data blocks have been processed, the
hash function. The corresponding scheme can easily be final 256-bit output, H(N), is formed by concatenating the
drawn (see Figure 1). final hash values:
Compression Expender H(N) = (H0(N), H1(N), H2(N), H3(N), H4(N), H5(N), H6(N), H7(N)) is
the hash of M.
σ0 2.2 SHA-512 hash functions
A
The SHA-512 hash function computation is identical to that
Σ0 of the SHA-256 hash function, differing in the size of the
B operands, which are 64 bits and not 32 bits as for the SHA-
Maj 256, the size of the Digest Message, which has twice the size
C being composed by 512 bits, and in the Σ functions. The
value Wt and Kt are of 64 bits and the each data block is
D
composed by 16 64-bit words, having in total 1024 bits. The
SHA-512 algorithm uses the following 64-bit functions:
Σ 0 ( x) = ROTR 2 ( x) ⊕ ROTR34 ( x) ⊕ ROTR39 ( x) (9)
E
Σ 1 ( x) = ROTR14 ( x) ⊕ ROTR18 ( x) ⊕ ROTR 41 ( x) (10)
Σ1
σ 0 ( x) = ROTR1 ( x) ⊕ ROTR8 ( x) ⊕ SHR7 ( x) (11)
F

CH
σ 1 ( x) = ROTR19 ( x) ⊕ ROTR 61 ( x) ⊕ SHR6 ( x) (12)
σ1
G With respect to the previous description, the following
Kj Wj conclusions can be derived. Hardware implementations of
H SHA-384 and SHA-512 have exactly the same performance,
so only one of them needs to be implemented for the
Input purpose of comparative analysis. The throughput of SHA-
Figure 1. Canonical scheme for the SHA-256 algorithm 256 is likely to be in the same range as the throughput of
SHA-1, and smaller than the throughput of SHA-512.
The expressions used to calculate the outputs for each
Taking into account these estimations, we have decided to
cycle’s are given by the following expressions.
implement only two of the investigated hash functions,
SHA-256 and SHA-512, which lay on the opposite ends of
⎧ At +1 = Tmp + Σ 0 (A t ) + Maj(A t + B t + C t )
⎪ the spectrum in terms of security and speed, with SHA-256
⎪B t +1 = A t being the weakest and slowest, and SHA-512 being the
⎪C t +1 = B t strongest and fastest of the four investigated hash functions.
⎪
⎪D t +1 = C t
⎪ 3. SHA-2 Processor design Features and
⎨E t +1 = Tmp + D t (4)
⎪F = E implementation
⎪ t +1 t
⎪G t +1 = Ft This section presents the architectural design features of our
⎪ programmable high throughput SHA-2 processor. This
⎪H t +1 = Gt processor can perform the SHA-2 standard for SHA-256 and
⎪Tmp = Wt +1 + K t +1 + H t + Σ 1 ( E t ) + Ch( E t + Ft + Gt )
⎩ SHA-512 modes of operation upon to the user needs.
 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor
3.1 Processor design
Since the SHA-256 and SHA-512 algorithms are very
similar, they can be implemented on a single chip easily. A
block based top-level implementation of our proposed
processor is shown in figure 2. The proposed system
supports four operation modes for reconfigurable SHA-2
processor.
• The Control Unit is designed to control the flow of data
in the design, as well as the movement of data between
the Padded Process Unit and Hash Computation Unit. A
FSM is used for this purpose. During initialization phase,
the user with the appropriate write commands selects the
operation mode. The Control Unit coordinates all the
system operations and processes. After the initialization
phase, the control unit is totally responsible for the
system operation. It defines the proper constants and
operation word length, it manages the ROM blocks and
it controls all the proper algebraic and digital logic
functions for the operation of SHA-2 (256 and 512) hash
functions.
• Padded Process Unit pads the input data messages and
converts them to 512 or 1024 bit blocks (padded data).
Control
Control unit
(8 or 16)*32
Control Hash
(8 or 16) Computation
Rom * 32-bit Unit
Constants
(8 or 16)*32
Transformed data
done
Output data busy
16-bit
Figure 2. Integrated chip for SHA-256 and SHA-512
In the following, the system architecture’s basic units are
described.
3.2 Processor Implementation
Since the SHA processors are designed for implementation
in a reconfigurable platform, these allowed one combination
to be investigated with relative low complexity once
unrolled (‘2x’) core is implemented [14]–[15]. Specifically,
the goal is to permit next round’s available inputs to
calculate instantaneously an intermediate result. The aim is
to obtain a resource efficient implementation, increasing the
achievable data throughput.
3.2.1 Padded Unit
The input message is padded, before the beginning of the
Hash Computation Unit. So, the Padded ensures that the
input message length is a multiple of 512-bit block in the
150
This operation is characterized by simplicity and it is
well defined by SHA specifications [9]. First, the Padded
pads the input message and after that the hash function
begins. The Padded Data is a multiple of 512-bit block
for the SHA-256 and a multiple of 1024-bit block for the
SHA-512. In every data transformation round, based on
the padded data, in the Hash Computation Unit a new
data block, Wt(i), is produced. In the ROM Blocks the
specified constants set, Kt(i), of the SHA-2 standard are
stored, in order to support the Hash Computation Unit
process.
• The hash value generation is mainly centred in the Hash
Computation Unit for both operations (SHA-256 and
SHA-512). The Hash Computation Unit is the main data
path component of the system architecture. The specified
number of the data transformation rounds, for each one
of the SHA-2 hash family functions, is performed in this
component with the support of a rolling loop (feedback).
In last transformation the message digest is produced,
stored and beginning of the Bus Interface.
• A Bus Interface Unit has also been integrated in order
for the proposed processor to communicate efficiently
with the external environment.
Kt(i) Rom blocks
Kt
Padded
unit
Padded data
16 /32-bit
Bus interface unit
mode Start Input data
16-bit
case of SHA-256, and multiple of 1024-bit block in the
cases of SHA-512. Most message padding designs in the
literature are proposed. However, here we aim to produce
fast real time implementations of the hashing processor;
therefore, a Padded block was also included to implement
the padding described in Section 2. This was realised as a
synchronous finite state machine (FSM). In our architecture,
message blocks are not stored in Padded Unit. The Padded
Unit passes input data to the hash Computation unit a word
(Nb-bit) at a time, during the first N’ clock cycles used to
process each message block (N’ = 32 clock cycles for SHA-
256 or 64 for SHA-512). In the Hash Computation Unit the
Padded data are processed in order.
Figure 3 shows the first message blocks of N’ words being
stored into the core. The START signal is asserted at the
start of each message. The SHA-2 processor is ready to
accept data when START is asserted. Each Nb-bit word (Nb
151 Zeghid et al.

= 16) is clocked into the core on the rising edge of CLK
when START is asserted. The START signal is used to
acknowledge a data request from the core. The end of the
message is indicated by a low-state of the START signal.
After a feeding of a block of N’ words at the input, the
signal GO is asserted as the SHA-2 core which computes the
message digest. After, the next N/2 clock cycles (N = 64 for
N’
CLK
SHA-256, N = 80 for SHA-512), the message digest for the
previous N’ word block is computed. Finally when the final
message block has been processed, the hash value outputs
are concatenated to produce the 256 or 512-bit message
digest. A signal mode selecting a counter, which counts is to
N/2, is used to address the ROM and to select between the
512-bit and the shortened 256-bit message digests.
2N’ 3N’ 4N’ cycle

Reception bloc 1 Reception bloc 2 Reception bloc 3 Reception bloc 4

1 to 64/80 1 to 64/80 1 to 64/80 1 to 64/80

Bloc 1 extended Bloc 2 extended Bloc 3 extended Bloc 4 extended

And processing And processing And processing And processing

START
GO

Figure 3. Timing diagram for hashing process sequence

3.2.2 ROM and Constants Units

SHA-512 K0 = d728ae22428a2f98
For our proposed architecture, a memory elements SHA-256 K0, H0
0
configured as ROM are used to store the constants and the SHA-512 H00 = f3bbc9086a09e667
numbers of shifts (Figure 4).

ROM 2: constants numbers ROM 1: shifts numbers This arrangement allows simple decoding logic to select the
appropriate constants for the both algorithms. As LUTs are
Σ 0 s h if ts n u m b e r s

dd772288aaee2222428a2f98
23ef65cd71374491
ec4d3b2fb5c0fbcf
8189dbbce9b5dba5
..
..
0000000 00000 2 used in the aforementioned manner, a mode signal is used to
index the appropriate values during each step. It simplifies
8 the control logic design, resulting a compact
implementation.
13
3.2.3 Hash Computation Unit
34 Synthesis results show that the design performance like
.. critical path, area runs from the Hash Computation Unit.
.. The data modification in the Hash Computation Unit are
б 1 s h if ts n u m b e r s

.. .. mainly performed by Ch, Maj, Σ0, Σ1 hash functions and the

..
..
..
137e21795be0cd19 1011000 11000
64 /32-bit
Figure 4. ROM Blocks
For the shift-number lookup, a ROM with 5-bit address must
be used and 6-bit output used for the SHA-2 processor, since
there are 24 steps in SHA-2. For constants lookup, a ROM
with 7-bit input address and 64 or 32-bit output is used for
the SHA algorithm as it specifies. The definition of the
rounds constants are the same for equal word sizes and the
value of Kt for W=32 is identical to the right half of the
corresponding W=64 constant. Similarly, the right halves of
the SHA-512 words of H0 are the words of H0 for SHA-
256. For example:
.. modulo adders. Especially, in the modulo adder
.. components, modulo addition 232 is performed for the
..
SHA-256, and modulo addition 264 for the SHA-512.
Hence, reducing the size of these adders will reduce the
6
number of logic elements required in the FPGA, thereby,
6-bit reducing the overall area of the final circuits. We can trade-
off a reduction in critical path and hence increase the
throughput rate, as we discuss next.
• Adder Choice
The implementation of multi-operand 64-bit adders on
FPGA demands selection of proper scheme for performing
the addition, as both the speed and area are of concern.
Several schemes consist for the implementation of multi-
operand addition. In this work, four types of adders are
implemented, optimized and tested, as known ripple carry
(RCA), carry lookahead (CLA), carry save (CSA) and carry
select adders (CSelA). In a CSA or CLA an array of full
adders (FA) are used to perform addition of three binary
 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor 152

vectors without propagating the carries and two library Y X

vectors, pseudo-sum and carry are generated. Let a, b, c X

O
Y
O

three n-bit numbers, the FA produces a partial sum PS and a

Z
shift-carry SC: Z
Ch(x,y,z) Maj(x,y,z)

PSi = ai ⊕ bi ⊕ ci, SCi = (ai ^ bi) or (ai ^ ci) or (bi ^ ci).

The different proposed adders architectures were captured (a) : Ch and Maj functions architectures
by using VHDL, with structural description logic. All main
adder architectures were compared for word lengths of 8, R(I) R(I+6)

16, 32, 64 bits with carry input and output. The synthesis
results for the proposed adders implementations are R(I+2) ≥ R(I+8) ≥
illustrated in Table 2. Two performance metrics are used: the
area (slices) and delay (ns). R(I+4) R(I+10)
∑0 ∑1
Table 2. Synthesis results of Adders ((a): Area
requirements; (b): delay requirements) (b) : Σ0 and Σ1 functions architectures
bits CSA RCA CselA CLA (I = 0 for SHA-256, I = 1 for SHA-512)
8 8 10 14 9 R(I+12) R(I+18)

16 17 20 29 18
R(I+14) ≥ R(I+20) ≥
32 36 38 63 37

64 72 75 129 74 S(I+16) S(I+22)

б0 б1

(a) Area (Slices) requirements

(c) : б0 and б1 functions architectures
bits CSA RCA CselA CLA (I = 0 for SHA-256, I = 1 for SHA-512)
8 5.80 13.34 10.06 12.37
Figure 5. SHA-2 functions architectures
• Hash Computation design
16 5.95 21.14 14.41 20.17 In SHA-2, eight words (A, B, C, D, E, F, G and H) remain
32 6.03 36.74 22.10 35.77 almost unchanged by a single round. These words are only
shifted by one position down. The words, A and E, undergo
64 6.15 67.94 37.295 66.97 a complicated transformation equivalent to multi operand
(b) delay (ns) requirements addition modulo 2word. These operands depend on which
are the input words, the round-dependent constant Kt (which
It is apparent in table 2 that the CSA has almost the same are stored in ROM to conserve space on hash function) and
allocated resources with the CLA adder. Furthermore, the a message dependent word Wt. It should be noticed that in
carry save adder present the speed-delay for every word each round the computation is only required to calculate the
length. It is faster by at least two gate delays than all other values of A and E, since the remaining values are obtained
adders with log(n) time complexity because it works without directly from the values of the previous round, as depicted in
the final sum-bit generation level built from XORs. So, our section 2. So, the variables B, C, D, F, G and H are obtained
processor use the carry save representation of numbers to directly from the values of the round, not requiring any
speed-up the multi operand addition and minimize the delay computation, the values of A and E require computation and
associated with carry propagation. depend on all the values. In other words, the values A and E
for round t can not be computed until the values for the same
• SHA-2 functions
variables have been computed in the previous round have, as
As mentioned above, there are four nonlinear functions. The shown in (13).
architectures of these functions are illustrated in Figure 5.
The Ch and Maj (Figure 5.a) are common functions for ⎧ Et +1 = Wt +1 + K t +1 + H t + Σ1 ( Et ) + Ch( Et + Ft + Gt ) + Dt
⎪
SHA-256 and SHA-512 however Σ0 and Σ1 depend of the ⎨ At +1 = Wt +1 + K t +1 + H t + Σ1 ( Et ) + Ch ( Et + Ft + Gt ) + Σ 0 ( At ) (13)
hash functions. The proposed architectures for the Σ0 and Σ1 ⎪ + Maj ( At + Bt + Ct )
⎩
functions are shown in Figure 5.b. Figure 5.c illustrates the
б0 and б1 functions architectures for the generation of the The proposed design approach is to condense two cycles
Wt(i) data black. (t+1, t+2) in one and to reduce the numbers of adder’s.
The functions of Figure 5 are similar but their Specifically, the goal is to permit next round’s available
implementations are done using different constants for each inputs to calculate instantaneously an intermediate result.
one of the SHA-2 family hash functions. The specified This process continues for N/2 clock cycles (N= 80 or 64).
constants values for every hash function are given by the In both functions, the input registers are initialized with the
SHA-2 standard. Furthermore, R(I) indicates right rotation constant initialization vector, and are updated with the new
of the input data by I-bit, while the S(I) components value in each round. 2x-unrolled core requires two Wt
indicates right shift of the input data by I-bits. words to be available simultaneously; both units generate N
153 Zeghid et al.

message dependent words, Wt, t = 0...(N-1). The first 16 of Wt Kt

A B C D E F G H
these words, W0…...W15, are simply the first 16 words of
the input message block. The remaining words are computed
using a simple feedback function, shifts and XOR
+ CSA1
operations. After N/2 cycles the values in registers A to H ∑0 Maj ∑1 ch +
are added to the initial hash values to obtain new hash
+ + + CSA2
values. The expression to calculate outputs each cycle’s, as +
shown in (14).
+
+
⎧Ct + 2 = At At+1 +
⎪
⎪ Dt + 2 = Bt Wt+1
⎪Gt + 2 = Et
⎪ Kt+1
⎪ H t + 2 = Ft
⎪Tmp = W + K + H + Σ ( E ) + Ch( E + F + G )
⎪⎪ t t t t t t t t ∑1 ch
∑0 Maj
⎨ Ft + 2 = Tmp + Dt (14 ) +
⎪ A = Tmp + Σ ( A ) + Maj ( A + B + C ) +
⎪ t+2 0 t t t t +
⎪ Bt + 2 = At +1 +
⎪ +
⎪Tmp = Wt +1 + K t +1 + Gt + Σ1 ( Ft + 2 ) + Ch( Ft + 2 + Et + Ft ) +
⎪ Et + 2 = Tmp + Ct +
⎪
⎪⎩ At + 2 = Tmp + Σ 0 ( At +1 ) + Maj ( At +1 + Bt + At )

The first observation, that input At and Bt feed directly A B C D E F G H

outputs Ct+2 and Dt+2 respectively. Similarly, Et and Ft
feed directly outputs Gt+2 and Ht+2 respectively. In other Figure 7. Internal structure of unrolled Hash Computation
hand, something that can be easily observed from the latter Unit- 2 adders
equation is that the most problematic characteristic of the
design process is the need to add (modulo 2w) several Table 3. Methodology functions of three adders (while Ryx;
Result of CSAy; step x)
numbers. If this addition were to be implemented in a
straightforward manner, 14 adders would be required, one CSA1 CSA2 CSA3
for each internal variable, of 32 or 64 bits depending if Etat Function Etat Function Etat Function
SHA-256 or SHA-512 is being implemented. However,
Step1 On Wt +Kt On Ch0 + S10 On S00+Maj0
some hardware reuse can be achieved.
In order to reduce the area design and optimize the critical Step2 On Wt+1+ Kt+1 Off On H + R11
path, we have implemented and tested two methods (see Step3 On R21 + R32 On R12 + G Off
figure 6, table 3, figure 7 and table 4).
Step4 On C + R23 On R31+ R13 On R13 + D
A B C D E F G H Wt Kt Step5 On Maj1+S01 Off On Ch1 + S11
Step6 Off On R35 + R23 Off
+ CSA1 Step7 Off Off On R15 + R26
∑0 Maj ∑1 ch +

+ + + CSA3 Table 4. Methodology functions of two adders (while Ryx;

+
Result of CSAy in step x)
+ CSA2
+ CSA1 CSA2
+ +
At+1 Etat Function Etat Function
Tmp
Wt+1 Step1 On Wt +Kt On S00+Maj0
Kt+1
Step2 On Ch0+ S10 On H + R11
∑1 ch Step3 On Wt+1 + kt+1 On R12 + R22
∑0 Maj
+ Step4 On R21 + R23 On D + R23
+ +
+
Step5 On Ch1+ S11 On R13 + G
+ Step6 On Maj1+S01 On R15 + R25
+ +
Step7 On R16 + R26 On R25 + C

We assume the scheme of Figure 7 as a starting point for our

A B C D E F G H
discussion. As we will see, all the proposed optimizations
Figure 6. Internal structure of unrolled Hash Computation will be applied to this canonical form of the circuit; this
Unit- 3 adders provides a good common ground to compare
 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor
implementation techniques and refinements. All additions
operations lead to the figure 7 of the unrolled architecture of
hash computation unit shown in table 4. At each step two
additions are performed. We have 7 steps in totality.
Furthermore, in the second method we have applied three
adders. We notice, just in step 1 and step 4 we need three
adders. However, in steps 2, 6 and 7 there are at least an
adder that is not used. It apparent from table 3 and table 4,
that method 1 and method 2 have the same performances in
terms of rapidity, in terms of cost, there is a gain of an adder
for the second method.
3.3 Proposed Optimization
Several optimizations have been proposed to improve the
implementation of the SHA-2 algorithm. The proposed
optimization is based on modifying the basic hardware
structure of SHA processor with the following modifications
and additions.
• Unrolling techniques that optimize the data dependency.
An unrolled architecture implements multiple rounds of
the core compression function in combinational logic,
thereby reducing the number of clock cycles required to
compute the hash. This technique allows for an
improvement in the throughput. Our approach is to
condense two round (t+1, t+2) in one.
• Using Carry-Save Addition (CSA). CSA accept 3 input
operands, hence the designs in this paper use just 2 CSA
to calculate all the additions operations.
• One look-up table (LUT) is used to store the constants
and number of shifts.
• The SHA processor takes, Nb bits data as inputs (Nb =
16). The input data are not stored.
• A 1-stage shift register design approach is employed to
implement the Padded Unit. The register is loaded with
the Nb-bit input message per clock cycle.
• There are four different nonlinear functions: Every one is
used for each hashing data process, as know SHA-256
and SHA-512. Instead, we have decided to use a
common architecture of these functions, which reduce
the area. For the Left and the Right shifted constants, it
has to be mentioned with mode selected signal.
4. Experimental Results
We implemented an FPGA design that efficiently performs
both SHA-256 and SHA-512. Figure 2 shows the top level
schematic of the integrated chip. It can function as both an
SHA-256 unit or as a SHA-512 unit depending up on the
control signals start and mode. When mode = ‘0’, it signals
the data path unit that SHA-256 needs to be performed.
Similarly, if mode = ‘1’, SHA-512 will be performed. The
described circuits have been implemented in VHDL using
the Model Technology’s ModelSim Simulator and
synthesized, placed, and routed using target device of Xilinx
(Xilinx Virtex XCV200pq240 FPGA). The architecture was
simulated for verification of the correct functionality, by
using the test vectors provided by the SHA-2 standard [9].
In order to have a fair and detailed evaluation, we
implemented SHA-256 and SHA-512 separately. The
proposed reconfigurable processor is compared with each
154
one the hash functions individual implementation. Five
performance metrics such as cycles, clocking frequency
(Mhz), the throughput (Mbps), the area (slices) and the
power consumption were computed. The throughput (d) is
computed as,
d = message block size/(clock period * latency).
The block size for SHA-256 is 512 bits while the block size
for SHA-512 is 1024 bits. The designs were simulated for a
block of 512 and 1024 bits of padded message for SHA-256
and SHA-512 respectively. Table 5 presents detailed results
for these implementations.
Table 5. FPGA Synthesis results
Freq Throughput Area Power
Our Design Cycles
(Mhz) (Mbps) slices (mW)
SHA-256 32 56 896 1480 39
SHA-512 42 53 1292 2385 43
SHA-2 32
53 848 2530 47
processor 64
It is apparent in table 5 that the reconfigurable processor has
almost the same allocated resources with the separate SHA-
512 implementation. The processor engine was able to
operate at 53 Mhz, is the same as the frequency of SHA-512
implementation and about 3% less than the 56 MHz of the
SHA-256 implementation.
The results show that unrolling the quasi-pipelined SHA-2
processor design provides data throughput advantage. Our
circuit has a 2x-unrolled core. It is clear that the critical path
inside the core of SHA-2 processor increases with the
degree of unrolling. Although the unrolled designs process
messages in fewer clock cycles than the basic designs, the
longer critical path in the unrolled designs means that the
maximum clock frequency decreases. Going from a basic
quasi-pipelined SHA-512 or SHA-256 design to the 2x-
unrolled designs reduces the number of clock cycles by a
factor of 2. We effectively pushed the pipelining approach
to the limit, in the sense that it is not possible to create more
pipeline sections and increase the total amount of clock
cycles only by a small further factor. This can be understood
by considering the presence of the Maj and Ch functions,
accessing simultaneously, the values stored in three different
positions in the corresponding shift registers. Their output
value is immediately inserted back into the shift register.
Furthermore, during self-test at 50 mhz, the reconfigurable
processor consumed 47 mW. The separate implementations,
SHA-256 and SHA-512, have estimated power dissipation
39, and 43 mW, respectively. In addition, SHA-2 processor
requires only 32 clock cycles in the SHA-256 operation
mode. In the case of SHA-512 operation mode, 64 clock
cycles are required (because 64 cycles used to process 1024-
bit for SHA-512).
5. Performance Comparison
5.1 Evaluation metrics
When evaluating a given implementation, the throughput of
155 Zeghid et al.

the implementation and the hardware resources required to
achieve this throughput are usually considered the most
critical parameters. No established metric exists to measure
the hardware resource costs associated with the measured
throughput of an FPGA implementation. Two area
measurements are readily apparent—logic gates and con-
figurable logic blocks (CLBs) slices. It is important to note
that the logic gate count does not yield a true measure of
how much of the FPGA is actually being used. Hardware
resources within CLB slices may not be fully utilized by the
lace-and-route software so as to relieve routing congestion.
This results in an increase in the number of CLB slices
without a corresponding increase in logic gates.
To achieve more accurate measure of chip utilization, CLB
slice count as chosen as the most reliable area measurement.
Therefore, to measure the hardware resource cost associated
with an implementation’s resultant throughput; the
throughput per slice (TPS) metric is used. We defined it as
TPS = (throughput rate / # CLBslices used).
5.2 Device used
We synthesised our design using two targets: theVirtex
v200pq240 which is the most suitable for our architectures,
the Virtex2 xc2v2000 which we used for providing accurate
comparisons with existing schemes.
5.3 Comparisons with published implementations
Table 6 compare our implementation with several others
very recently reported in the literature in terms of SHA-256
only, SHA-512 only, both SHA-256 and SHA-512 [14]–
[15]–[16]–[17]–[18]. Furthermore comparisons with hash
function standard (SHA-1) implementations [19]–[20]–[21]
are also given. The performance is compared in terms of
frequency, the area, the throughput, and the TPS.
The introduced system in [16] supports the three hash
functions SHA-256, SHA-384 and SHA-512. The focus of
[17] was to implement SHA-2 using the theVirtex
v200pq240 as a target. Ref [15] presents a pipelined
architecture for a single chip SHA-384/SHA-512. The SHA-
2 implementation of [14], presented the highest throughput,
where SHA-2 was implemented using the re-use and
pipeline techniques simultaneously. Although, in [15]–[16]–
[17] the SHA-256 and the SHA-512 have been implemented
separately.
Using the TPS metric the proposed design is proved better
about 24% by compared with [16], and better about 20 % by
compared with [17]. When compared with [14] the results
show higher throughput, from 17 % up to 26 %, while
achieving a reduction in area above 25 % and up to 42 %.
Figure 8 and Figure 9 detail the optimal implementation in
terms of TPS for each SHA-2 implementations (SHA-256,
SHA-512 and SHA-2 integrated chip).

0,7
Our Works
0,6

0,5
SHA-256
0,4
TPS

SHA-512
0,3 [17]
SHA-2
0,2 [16]

0,1

0
1 2 3
works

Figure 8. Representing TPS- Virtex v200pq240

0,9
[14] Basic Our Works
0,8
0,7
0,6 [14] 2x-unrolled
0,5 SHA-256
TPS

0,4 SHA-512
0,3
0,2
0,1
0
1 2 3
w orks

Figure 9. Representing TPS- Virtex xc2v2000-bf957

 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor 156

Also, the proposed system is proved to be better have major differences in their specifications. From the
compared with the previous SHA-1 standard hardware synthesis results of Table 6, it is also proven that the
implementations [19]–[20]–[21]. For instance, we cannot proposed implementation performs better in terms of
go on a detailed “fair” comparison with the previous operating frequency and throughput compared with the
standard, since these two standards (SHA-1and SHA-2) hardware design work of [9].
Table 6. Performance comparison results
Reference Frequency (MHz) Area Throughput (Mbps) TPS (Mbps/slice)
SHA-1 architectures
[19] 55 4490 1339 0,298
Virtex 2v500fg45 CLBs
[20] 38 3100 900 0,290
Virtex 2v500fg45 CLBs
[21] 55 NA 2816 NA
Virtex v150bg352
SHA-2 architectures
[18] 41,97 3383 335, (256) NA
APEX II, Stratix, LEs 268,9 (512)
[16] 83 2120 262,(SHA-256) 0,123
Virtex v200pq240 slices
[16] 75 4474 396,( SHA-512) 0,089
Virtex v200pq240 slices
[16] 74 4768 233,(SHA-256) 0,049/0,082
Virtex v200pq240 slices 390,(SHA-512)
[17] 77 1306 308,( SHA-256) 0,236
Virtex v200pq240 slices
[17] 69 2545 442,( SHA-512) 0,174
Virtex v200pq240 slices
[17] 69 2951 200,(SHA-256) 0,108/0,136
Virtex v200pq240 slices 320,(SHA-512)
[15] 38 5828 479,(SHA-384) 0,082
VirtexE xcv600E8 slices 479,(SHA-512)
[14] (basic) 133 1373 1009,(SHA-256) 0,735
xc2v2000-bf957
[14] (2x-unrolled) 73,975 2032 996,(SHA-256) 0,491
xc2v2000-bf957
[14] (basic) 109,03 2726 1329,(SHA-512) 0,488
xc2v2000-bf957
[14] (2x-unrolled) 65,893 4107 1466,(SHA-512) 0,357
xc2v2000-bf957
Proposed architectures
Virtex v200pq240 56 1480 896,(SHA-256) 0,60
slices
Virtex v200pq240 53 2385 1292,(SHA-512) 0,541
slices
Virtex v200pq240 53 2530 848,(SHA-256) 0,335
slices 848,(SHA-512)
Virtex xc2v2000- 73 1520 1168,(SHA-256) 0,768
bf957 slices
Virtex xc2v2000- 71 2410 1731,(SHA-512) 0,718
bf957 slices

6. Conclusion and TPS product. From the comparative, with other

In this paper, a reconfigurable implementation with multi-
mode operation is proposed for the SHA-2 hash family.
SHA-2 secure hash algorithm is the newest hash function
standard. This hash functions family deployed in a broad
range of applications with different area-performance
requirements. The proposed implementations are
compared in terms of operating frequency, throughput
related well known works, our system performs much
better. They can substitute efficiently the previous SHA-1
implementations, in communication protocols and
networks integrity units, with higher supported security
level and better achieved performance. This work can be
applied efficiently in the implementation of digital
signature algorithms, keyed-hash message authentication
codes and in random numbers generators architectures.
157
The introduced system performs efficiently for the two
SHA-2 standard functions (256, 512). The allocated
resources of the proposed system are almost the same
with the covered area of the separate implementation
SHA-512. The achieved performance is almost
comparable to the separate implementations performance.
References
[1] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone.
Handbook of Applied Cryptography, CRC Press,
1997.
[2] National Institute of Standards and Technology, “The
keyed-hash message authentication code”, Federal
Information Processing Standards 198, March 2002.
[3] W. Stallings, “Network and Internetwork Security:
Principles and Practice”, Prentice Hall International,
1995.
[4] National Institute of Standards and Technology,
“Digital Signature Standard”, Federal Information
Processing Standards 186-2, January 2002.
[5] WAP Forum: WAP White Paper,
www.wapforum.org, 2002.
[6] HiperLan2 Global Forum, Hiperlan specifications,
www.hiperlan2.com, 2002.
[7] National Institute of Standards and Technology,
“Secure Hash Standard”, Federal Information
Processing Standards 180-1, April 1995.
[8] National Institute of Standards and Technology,
“Advanced Encryption Standard”, Federal
Information Processing Standards 197, November
2001.
[9] National Institute of Standards and Technology,
“Secure Hash Standard”, Federal Information
Processing Standards 180-2, August 2002.
[10] A. Stoica, R. Zebulum, D. Keymeulen, R. Tawel, T.
Daud, A. Thakoor, “Reconfigurable VLSI
architectures for evolvable hardware: From
experimental field programmable transistor arrays to
evolution-oriented chips”, IEEE Trans on VLSI,
9(1), pp. 227–232, 2001.
[11] N. Shirazi,W. Luk, P. Y. K. Cheung, “Framework
and tools for run-time reconfigurable designs”,
Computers and Digital Techniques, IEE
Proceedings, 147(3), pp.147-152, 2000.
[12] P. James-Roxby, E. Cerro-Prada, S. Charlwood,
“Core-based design methodology for reconfigurable
computing applications”, Computers and Digital
Techniques, IEE Proceedings-Publication, 147(3),
pp.142-146, 2000.
[13] M.Zeghid, B.Bouallegue, A.Baganne, M.Machhout,
R.Tourki. “Reconfigurable Implementation of the
New Secure Hash Algorithm”. In Proceedings of the
Internatioal Conference on Availability, Reliability
and Security 2007 (ARES 2007), pp. 281–285,
2007.
[14] R.P. McEvoy, F.M. Crowe, C.C. Murphy, W.P.
Marnane. “Optimisation of the SHA-2 Family of
Hash Functions on FPGAs”. In Proceedings of the
Annual Symposium on Emerging VLSI
Technologies and Architectures (ISVLSI’06), IEEE
Computer Society, pp.317–322, 2006.
Zeghid et al.
[15] M. McLoone, J. V. McCanny, “Efficient single-chip
implementation of SHA-384 & SHA-512”. In
Proceedings of the International Conference on
Field-Programmable Technology (FTP), pp. 311–
314, 2002.
[16] N. Sklavos, O. Koufopavlou. “Implementation of the
SHA-2 Hash Family Standard Using FPGAs”, The
Journal of Supercomputing, 31(3), pp.227–248,
2005.
[17] R.Glabb, L.Imbert, G.Julien, A.Tisserand, N.Veyrat-
Charvillon. “Multi-mode operator for SHA-2 hash
functions”, journal of systems architecture, 53(2-3),
pp.127-138, 2007.
[18] A.Imtiaz, A. Shoba Das. “Hardware implementation
analysis of SHA-256 and SHA-512 algorithms on
FPGAs”, Computers and Electrical Engineering,
31(6), pp. 345–360, 2005.
[19] N.Sklavos, G.Dimitroulakos, O.Koufopavlou. “An
Ultra High Speed Architecture for VLSI
Implementation of Hash Functions”. In Proceedings
of ICECS, pp. 990–993, 2003.
[20] J.M. Diez, S. Bojanic, Lj. Stanimirovicc, C. Carreras,
O. Nieto-Taladriz. “Hash Algorithms for
Cryptographic Protocols: FPGA Implementations”.
In Proceedings of the 10th Telecommunications
Forum, TELFOR2002, Belgrade, Yugoslavia, May
26 -28, 2002.
[21] M.Harris, A.P. Kakarountas, O.Koufopavlou, C.E.
Goutis. “A Low-Power and High-Throughput
Implementation of the SHA-1 Hash Function”. In
Proceedings of the IEEE International Symposium
on Circuits and Systems (ISCAS'05), pp. 4086–
4089, 2005.
Author Biographies
Medien Zeghid received his M.S. degree in Electronic Materials and
Dispositifs from the Science Faculty of Monastir, Tunisia, in 2005.
Currently, he is a PhD student. His research interests include Security
Networks, implementation of standard cryptography algorithm,
Multimedia Application, Network on Chip: NoC. He is working in
collaboration with LESTER Laboratory, Lorient, France.
Belgacem Bouallegue received his MSc in Physic Microelectronic and
his DEA in Electronic Materials and Dispositifs from the Science
Faculty of Monastir, Tunisia, in 1998 and 2000, respectively. Currently,
he is a PhD student. His research interests include High Speed Networks,
Multimedia Application, Network on Chip: NoC, flow and congestion
control, interoperability and performance evaluation. He is working in
collaboration with LESTER Laboratory, Lorient Cedex France.
Mohsen Machhout was born in Jerba, on January 31 1966. He received
MS and PhD degrees in electrical engineering from University of Tunis
II, Tunisia, in 1994 and 2000 respectively. Dr Machhout is currently
Assistant Professor at University of Monastir, Tunisia. His research
interests include implementation of standard cryptography algorithm,
key stream generator and electronic signature on FPGA.
Adel Baganne born in 1968 is presently an Associate Professor at the
UBS University and member of the LESTER Lab. He received his Ph.D.
degree in Signal Processing and Telecommunications at the University
of Rennes, France,in 1997 and the Engineer degree in Electronics from
the National Superior Engineering School in Angers (ESEO), France, in
1993. His research interests include communication synthesis, codesign,
co-simulation, computer architecture, VLSI design and CAD tools.
Rached Tourki was born in Tunis, on May 13 1948. He received
the B.S. degree in Physics (Electronics option) from Tunis University, in
1970; the M.S. and the Doctorat de 3eme cycle in Electronics from
 Architectural design features of a programmable high throughput reconfigurable SHA-2 Processor 158

Institut d'Electronique d'Orsay, Paris south University in 1971 and 1973 Microelectronics and Microprocessors with the physics department,
respectively. From 1973 to 1974 he served as microelectronics engineer Faculty of Sciences of Monastir. His current research interests include:
in Thomson CSF. He received the Doctorat d'etat in Physics from Nice Digital signal processing and hardware software codesign for rapid
University in 1979. Since this date he has been professor in prototyping in telecommunications.