我正在按照 Verilog 中的官方FIPS-202 文档实施 SHA-3。我的状态由一维寄存器表示,我使用宏函数从文档中的 (x,y,z) 坐标计算相应的状态索引:
A[x, y, z] = S [W(5y + x) + z],W = 64(第 9 页)
我严格遵循第 11 页上的指南并提出以下建议:
// Macros for transforming dimensions
`define sub_1(x) (x == 0 ? 4 : x - 1)
`define add_1(x) (x == 4 ? 0 : x + 1)
`define sub_1_W(x) (x == 0 ? (W - 1) : x - 1)
`define s(x,y,z) ((W * ((5 * y) + x)) + z)
`define s_xz(x,z) ((W * x) + z)
// Wires
wire [0:(1600 - 1)] absorbed_data, after_theta;
wire [0:((5 * 64) - 1)] C, D;
genvar x, z;
for(x = 0; x < 5; x = x + 1) begin
for(z = (W - 1); z >= 0; z = z - 1) begin
// Step 1
assign C[`s_xz(x,z)] = absorbed_data[`s(x,0,z)] ^ absorbed_data[`s(x,1,z)] ^ absorbed_data[`s(x,2,z)] ^ absorbed_data[`s(x,3,z)] ^ absorbed_data[`s(x,4,z)];
// Step 2
assign D[`s_xz(x,z)] = C[`s_xz(`sub_1(x),z)] ^ C[`s_xz(`add_1(x),`sub_1_W(z)];
end
end
genvar x, y, z;
generate
for(x = 0; x < 5; x = x + 1) begin
for(y = 0; y < 5; y = y + 1) begin
for(z = 0; z < W; z = z + 1) begin
// Step 3
assign after_theta[`s(x,y,z)] = absorbed_data[`s(x,y,z)] ^ D[`s_xz(x,z)];
end
end
end
endgenerate
我目前面临的问题似乎在 Theta 函数中。例如对于 SHA-224,一个空消息应该产生中间结果和最终输出,如本文档所示。
奇怪的是,我得到相同的absorbed_data( 06 00 ... 00 80) 但不同的值C和D:
C
as is: 06 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 06 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00
D
as is: 00 00 00 00 00 00 00 00 | 06 00 00 00 00 00 01 00 | 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 80 | 0c 00 00 00 00 00 00 00
to be: 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 07 | 00 00 00 00 00 00 00 00 | 80 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 0c
首先,C位顺序似乎不同,但不是在位级别上而是在字节级别上(如06保持06)。其次,因为D我得到06 00 .. 01 00了正确的结果应该是00 .. 00 07. 这对我的实现来说是不可能的,因为根据 FIPS-202,at 的位z只能移动一个位置 ( (z - 1) mod w)。
在未来的情况下D将产生正确的结果,因为06 ^ (80 << 1) = 07.
总之,我会说我的实现行为与 FIPS-202 中的定义所期望的一样,对吗?
知道我在这里做错了什么吗?
提前致谢!