Sha-256 computation, Sha computation example – Rainbow Electronics AT88SA100S User Manual

AT88SA100S [ Preliminary]

3

8558A–SMEM–03/09

Status Fuses

These fuses can be used to store various information which is not secret. Their value can always be
determined using the Read command. They can be individually burned using the BurnFuse
command. Two common usage models for these fuses are:

1. Consumption logging, i.e. burn one bit after every n uses, the host system keeps track of the

number of uses so far for this serial number since the last fuse burn.

2. Model number information. In this situation, the bits are written at the factory and their value is

locked to prevent modifications in the field. This method can also be used for feature enabling.

1.3.

SHA-256 Computation

This chip performs only one cryptographic calculation – a keyed digest of an input challenge using the SHA-256
algorithm, documented here:

http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf

1.3.1. SHA Computation Example

In order to ensure that there is no ambiguity, the following example vector is provided in addition to the sample vectors
in the NIST document. In this example, all values are listed in hex. For all but the key, bytes are listed in the order that
they appear on the bus – first on the left. Key is listed in the same order, so the 01 at the left of the key string is the first
byte passed to SHA-256.

Key

01030507090B0D0F11131517191B1D1F21232527292B2D2F31333537393B3D3F

Challenge

020406080A0C0E10121416181A1C1E20222426282A2C2E30323436383A3C3E40

Opcode 01

Mode

40

(include serial number in message)

Param2 0000

MfrID Fuses

77

S/N Fuses

8899AABB

MfrID ROM

CCDD

MaskSN ROM

EEFF

The 88 bytes over which the digest is calculated are 0103…3D3F0204…3E4001400000…EEFF

Digest: 7D38245733717A488575B9F794F7BCAFE033A3848D39430DA25141FDEBEAA1C2

A Read command executed on address 0 of the ROM (MfrID ROM, MaskSN ROM) would return CC DD EE FF, with
CC being the first byte on the bus and FF being the last.

Throughout this document, the complete message processed by the SA100S chip is documented. According to the
above specification, this always includes a single bit of ‘1’ pad after the message, followed by a 64 bit value
representing the total number of bits being hashed (less pad and length). If the length is less than 447 (512-64-1) then
the necessary number of ‘0’ bits are included between the ‘1’ pad and ‘length’ to stretch the last message block out to
512 bits.

When using standard libraries to calculate the SHA-256 digest, these pad and length bits should probably not be
passed to the library as most standard software implementations of the algorithm add them in automatically.