1. Introduction

A hash function is a category of cryptographic primitives that plays an important role in ensuring security methods, such as data integrity and authentication. An original input message is condensed by a hash function and becomes a fixed-length ciphertext known as a message digest. The hash function used to generate a ciphertext must be computationally simple but impossible to revert back to its original. Because of its efficiency and reliability, the SHA-256 hash function, which was released by the National Institute of Standards and Technology (NIST), is widely used in the field of security ^[1]. Since the hardware design of the SHA-256 provides better throughput than the software design, it is more pertinent for applications that demand high throughput. Furthermore, the hardware design of the SHA-256 has a non-disruptive feature, unlike the software design ^[2].

Increasing energy efficiency has become important because the hardware is faced with limited battery and energy resources. In order to achieve high energy efficiency and hardware performance of the hardware design, approximate computing, which trades off the computation precision for acceptable processing quality, can be leveraged.

In this paper, we propose a novel high-throughput SHA-256 design, which reduces the area and delay effectively using approximate arithmetic. Specifically, we focus on replacing the existing adder of the conventional SHA-256 with the approximate adders to improve the hardware performance and save hardware resource consumption while satisfying hash functionality. The existing 32-bit adder is replaced by the split k-bit adder. The proposed design was analyzed mathematically, and its hardware performance (e.g., energy and throughput) was also evaluated. In addition, to check whether the generated message digest is cryptographically secure and distributed randomly, we conduct the randomness tests developed by NIST and Avalanche effect ^[3]. The proposed design improves hardware performance and the Avalanche effect, compared with the conventional design, and all the message digests generated by the proposed SHA-256 are randomly distributed. The results verified that the proposed design could be competitive.

In summary, the contribution of this work is as follows:

· We present a new SHA-256 design that exploits approximate adders to improve hardware efficiency.

· The proposed SHA-256 is thoroughly analyzed to confirm that it improves overall throughput and energy efficiency that stems from shortened carry chain compared with the existing adder.

· To verify that the generated message digest is cryptographically secure, Avalanche effect and randomness tests were performed and passed.

2. Background and Motivation

2.1 SHA-256 Basics

The SHA-2 was developed with a number of noteworthy upgrades from the SHA-1. The SHA-2 is made up of four different algorithms, which correspond to output lengths of 224-, 256-, 384-, and 512-bit, respectively. Although it consumes more memory and takes longer to process, a longer output length is beneficial for security. Because of its great efficiency, processing speed, and Avalanche effect, SHA-256 becomes a key component in many applications, such as blockchain and hash-based message authentication code (HMAC). The overall structure of the SHA-256 process is shown in Fig. 1. The SHA-256 hash algorithm can be divided into three steps: Pre-processing, Message scheduler, and Compression function.

Fig. 1. Block diagram of SHA-256.

Pre-processing, a step in padding an input message, is the first stage of the SHA-256. We define L as the length of the original message. A single bit "1" is added to the end of the message, followed by K "0" bits, which must satisfy the equation L + 1 + K ${\equiv}$ 448 mod 512. The length of the message, calculated in 64-bit big-endian, is added to the rest of the message. Thus, the original message is padded and becomes a message, which is a multiple of 512-bit. The second step of SHA-256 is the Message scheduler. In the message scheduler, each 32-bit word: W$_{t}$ is produced during 64 rounds. We define t as representing the number of rounds from 0 to 63. W$_{t}$ is as follows:

(1)

$ \begin{equation} \begin{array}{ll} W_{t}\, & =first16words\,\,of\,the\,\,message0\leq t\leq 15\\ W_{t}\, & =W_{t-16}+\sigma _{0}\left(W_{t-15}\right)+W_{t-7}+\sigma _{1}\left(W_{t-2}\right)16\leq t\leq 63 \end{array} \end{equation} $

where

(2)

$ \begin{equation} \begin{array}{ll} \sigma _{0}\left(x\right) & =ROTR_{7}\left(x\right)\oplus ROTR_{18}\left(x\right)\oplus SHFR_{3}\left(x\right)\\ \sigma _{1}\left(x\right) & =ROTR_{17}\left(x\right)\oplus ROTR_{19}\left(x\right)\oplus SHFR_{10}\left(x\right). \end{array} \end{equation} $

In (2), the ROTR$_{n}$(x) denotes a right rotation of x by n-bit, and the SHFR$_{n}$(x) denotes a right shift of x by n-bit. All variables in the above equations are 32-bit unsigned integers and addition is calculated modulo 2$^{32}$. The compression function is the final step of SHA-256, where the variables A, B, C, D, E, F, G, and H are updated. The constant value K$_{t}$ is obtained from the first 32-bit of the fractional parts of the cube roots of the first 64 primes. In the first round, the variables are assigned by initial hash values, calculated by the first 32-bit of the fractional parts of the square roots of the first 8 primes. Every 64 rounds, the variables are updated using the previously calculated W$_{t}$ and K$_{t}$. The A, B, C, D, E, F, G, and H can be computed by:

(3)

$ \begin{equation} \begin{array}{l} H=G\\ G=F\\ F=E\\ E=D+temp_{1}\\ D=C\\ C=B\\ B=A\\ A=temp_{1}+temp_{2} \end{array} \end{equation} $

where

(4)

$ \begin{array}{l} \sum _{0}\left(A\right)=ROTR_{2}\left(A\right)\oplus ROTR_{13}\left(A\right)\oplus ROTR_{22}\left(A\right)\\ \sum _{1}\left(E\right)=ROTR_{6}\left(E\right)\oplus ROTR_{11}\left(E\right)\oplus ROTR_{25}\left(E\right)\\ ch\left(E,F,G\right)=\left(E\wedge F\right)\oplus \left(\neg E\wedge G\right)\\ maj\left(A,B,C\right)=\left(A\wedge B\right)\oplus \left(A\wedge C\right)\oplus \left(B\wedge C\right)\\ temp_{1}=H+\sum _{1}\left(E\right)+ch\left(E,F,G\right)+K_{t}+W_{t}\\ temp_{2}=\sum _{0}\left(A\right)+maj\left(A,B,C\right). \end{array} $

The initial hash values: $H_{0},\,H_{1},\,H_{2},\,H_{3},\,H_{4},\,H_{5},\,H_{6},$ and $H_{7}$ can be calculated by using (5).

(5)

$ \begin{equation} \begin{array}{l} H_{0}=H_{0}+A\\ H_{1}=H_{1}+B\\ H_{2}=H_{2}+C\\ H_{3}=H_{3}+D\\ H_{4}=H_{4}+E\\ H_{5}=H_{5}+F\\ H_{6}=H_{6}+G\\ H_{7}=H_{7}+H. \end{array} \end{equation} $

In the end, the output is computed by concatenating the hash values.

(6)

$ \begin{equation} Output=H_{0}||H_{1}||H_{2}||H_{3}||H_{4}||H_{5}||H_{6}||H_{7} \end{equation} $

3. Related Works

Various research works have been studied to improve the throughput and performance of SHA-256 [2, 5-12]. Also, previous research has been conducted on whether it is cryptographically secure while verifying several tests, such as the Avalanche test, and randomness tests ^[13,14].

Rote et al. ^[2] proposed a new architecture using a fully iterative and Round Pipelined Technique (RPT) to improve throughput per area of SHA-2. In ^[5], a rescheduling method during round computations was proposed and implemented on the Xilinx Virtex-4 FPGA. It enhanced the quality of throughput by reducing the critical path. Xiaoyong et al. ^[6] suggested a high-performance computation hardware architecture in the ASIC of SHA-256. To shorten the critical path, parallel pipelines were used and the computation chain was converted to independent parts. Power and area decreased compared to the conventional SHA-256. In ^[7], through optimization techniques, a design was proposed that increases throughput due to reduced power and area. An unfolding design of SHA-256 based on FPGA was presented in ^[8]. The designs produced an unfolding architecture, which makes maximum frequency and area better than conventional SHA-256. Kahri et al. ^[9] proposed efficient hardware implementation of SHA-256 on the FPGA. For the hash function, a finite state machine (FSM) is employed. In ^[10], in order to optimize SHA-256, a pre-computation method was devised. Compared to the conventional pipelined SHA-256, the throughput increased, and the area penalty decreased. Chaves et al. ^[11] developed a new technique using operation rescheduling and hardware reutilization. The critical path was significantly reduced while the required area also decreased thanks to the technique. Glabb et al. ^[12] presented a multi-mode architecture that can independently execute the SHA-224 and SHA-256 blocks as well as the SHA-384 or SHA-512 hash algorithms. This research wanted to considerably reduce the computing overhead while avoiding any time delays brought on by handling input messages.

To address the Length Extension attack problem, an improved padding method and modified hashing process were presented in ^[13]. Statistical tests employing the Strict Avalanche effect, frequency test (Monobit), frequency test within a block, and run test were carried out to demonstrate that the updated hash function is cryptographically secure. Since the distribution of zeros and ones in the final hash value under tests was uniformly random, the message digest produced by modified SHA-256 was cryptographically secure. Roshdy et al. ^[14] proposed a new secure hash algorithm based on SHA-256 and Message Digest 5 (MD5). The proposed algorithm met the requirements of the Avalanche test and differential attack test.

4. Proposed SHA-256 Architecture

In SHA-256 hardware design, the primary steps, message scheduler and compression function, were replaced with a novel design that could save hardware considerably by using approximate computing to reduce hardware resource consumption. Specifically, to reduce the delay by shortening the critical path, the 32-bit adder in the message scheduler and compression function was swapped out with the approximate adder. The 32-bit adder accounts for a large part of the operation of SHA-256, compared to the other calculation steps. The addition is used seven times from round 0 to 15, 10 times from 16 to 63, and eight times when the round is finished, and the last hash values are added. Thus, applying approximate computing to the existing adder can significantly increase the energy efficiency of the SHA-256 hardware design. The approximate adder used in the proposed SHA-256 design is illustrated in Fig. 3. Note that it is an improvement in the structure of the adders painted gray in Fig. 1 and the adders in the message scheduler. The 32-bit adder is split into several k-bit adders, where k is 1-, 2-, 4-, 8-, and 16-bit adder, respectively. Each adder divided into k-bit is calculated separately, and all carry-in is ignored in the adders to cut the long carry propagation chain and improves the latency. It is noteworthy that the k-bit adder does not depend on the addition algorithms but can be implemented in any kind of accurate adders, such as ripple carry adder (RCA), carry save adder (CSA), and carry-lookahead adder (CLA). The 32-bit is calculated by dividing them into k-bits, and the final outcome of the split adder is to concatenate the k-bits that result from each. Since a carry-out is ignored when it occurs, the carry chain is shortened when compared with the existing 32-bit adder. This results in a decrease in delay and area, which allows high throughput and performance of the proposed design to be achieved.

Fig. 3. (a) the existing 32-bit adder; (b) general hardware architecture of the proposed approximate adder of SHA-256.

5. Experimental Results

5.1 Hardware Performance

To evaluate the hardware resource consumption, the proposed SHA-256 design was synthesized in Verilog HDL using 28-nm CMOS technology. Using the same design methodology, we also synthesized and implemented the conventional design so that we could compare it to the conventional SHA-256 design. In addition, the proposed designs functionally verified that the generated message digest is secure cryptographically and randomly distributed.

The conventional SHA-256 and the proposed SHA-256 with various design configurations are summarized in Table 1. We compared the conventional SHA-256 with designs where the 32-bit adder is replaced by a split approximate adder with 1-, 2-, 4-, 8-, and 16-bit configurations, respectively. Comparing the proposed SHA-256 design to the conventional design, the area is reduced by up to 15% in the 1-bit adder-based SHA-256 design. Furthermore, there is a noticeable improvement in the delay as expected. As a result of the synthesis, we confirmed that the adders of calculating A$_{\mathrm{t+1}}$ in Fig. 1 are the critical pass. In all the proposed SHA-256 design configurations, the delay reduces by 15.7%, 27.1%, 35.0%, 45.7%, and 52.9%, respectively. The considerable overall delay reduction stems from the approximate adder that cuts the long carry chain to enhance its delay performance. The power increases slightly as the delay reduces. The power increases from a minimum of 17.1% to a maximum of 46.8%. The energy is improved in all the configurations, especially 9.3% and 11.3% in 2-bit and 1-bit configurations, respectively. The result shows that the area, delay, and energy are further improved as the 32-bit adder is split into smaller units.

Table 1. Performance summary of various adders of proposed SHA-256 design.

Design	Area (${\mu}$m$^{2}$)	Delay (ns)	Power (mW)	Energy (pJ)
Conv.	11946.2	1.40	6.24	8.74
16-bit	11914.0	1.18	7.31	8.63
8-bit	11595.1	1.02	8.12	8.29
4-bit	11171.7	0.91	8.93	8.12
2-bit	10605.5	0.76	10.44	7.93
1-bit	10158.1	0.66	11.74	7.75

To compare the SHA-256 designs in terms of both area and delay, we evaluate the area-delay product (ADP). Fig. 4 exhibits the ADP of the conventional SHA-256 and the proposed SHA-256 designs. In all the configurations of the proposed SHA-256, the ADP is significantly improved by 19.1%, 41.6%, 64.8%, 107.8%, and 149.8% in the 16-, 8-, 4-, 2-, and 1-bit configurations, respectively.

Additionally, the energy-delay product (EDP) was computed to evaluate the design from the perspective of energy efficiency. Fig. 5 shows the EDP comparison between the proposed designs and the conventional SHA-256. According to the result, all the proposed designs enhance the EDP by 20.2%, 44.8%, 65.6%, 103.0%, and 139.3%, respectively.

In addition to the EDP, the throughput was calculated to compare the designs in terms of the performance of the hardware design. Fig. 6 shows the comparison of the throughput. The throughput can be calculated by using the following equation

(7)

$ \begin{equation} Throughput=\frac{Block\;size\times Clock\;frequency}{Clock\;cycles\;per\;block} \end{equation} $

In all the configurations of the proposed SHA-256, the throughput is improved considerably. There was an improvement of 18.6%, 37.3%, 53.8%, 84.2%, and 112.1% in the 16-, 8-, 4-, 2-, 1-bit configuration, respectively.

Fig. 4. Comparison of area-delay product (ADP) of various SHA-256 designs.

Fig. 5. Comparison of energy-delay product (EDP) of various SHA-256 designs.

Fig. 6. Comparison of throughput of various SHA-256 designs.

6. Conclusion

This paper presented a novel high-throughput SHA-256 design that reduces the hardware cost effectively using approximate computing. The existing 32-bit adders of the SHA-256 are replaced by the proposed split k-bit adder to achieve high throughput. To compare our proposed design with the conventional SHA-256 design, both designs were designed in Verilog HDL and synthesized using 28-nm CMOS technology. In addition, we functionally verified the generated message digest to examine whether it is cryptographically secure and randomly distributed. The results demonstrated that the proposed designs, when compared to the traditional one, reduce area, delay, and energy by 8.9%, 45.7%, and 9.3 in the 2-bit configuration and by 15%, 52.9%, and 11.3% in the 1-bit configuration, respectively. Additionally, the proposed designs improve the ADP, EDP, and throughput performances by at least 19.1%, 20.2%, and 18.6% with a maximum of 149.8%, 139.3%, and 112.1%, respectively. Also, all the proposed designs obtain a higher average Avalanche effect than the traditional ones, and all the message digests generated by the proposed SHA-256 are randomly distributed. Based on the results, the proposed design reduced area and power, improving hardware throughput and energy efficiency. Therefore, our proposed designs can be a new alternative to the SHA-256 with high hardware performance and energy efficiency.