Joachim Strömbergson joachim@secworks.se writes:
For SHA-1 the H0 constants are a simple sequence pattern and according to Thomas actually comes from MD5.
(From sha1.c in Nettle):
/* SHA initial values */ 0x67452301L, 0xEFCDAB89L, 0x98BADCFEL, 0x10325476L, 0xC3D2E1F0L,
The first four values are the same as for md5. The final value is unique to sha1.
The H0-values for SHA-224 is actually the low 32-bits of the H0-values for SHA-384.
Interesting, I hadn't noticed that.
We should therefore be able to update the shadata program to generate the SHA-224 constants.
The reason sha512 and sha384 aren't generated by shadata.c, is that the needed precision exceeds what can be expected from a C double. And for sha224, if it had been the *high* 32 bits, double would have been enough.
Now that we include mini-gmp, I guess one could make use of that to compute the needed roots to high enough precision.
Suggestion: Change the comments in sha256.c (for sha224) to point to the origin of the constants. And also add a short comment in sha1.c and md5.c that the constants are simple patterns.
I've added comments for sha1 and sha224.
According to Thomas the sequence pattern in md5 was choosen by Rivest quite arbitrarily.
Not much to comment there...
Regards, /Niels