High throughput implementation of the new Secure Hash Algorithm through partial unrolling Konstantinos Aisopos Athanasios P. Kakarountas Haralambos Michail Costas E. Goutis Dpt. of Electrical and Computer Engineering University of Patras Patras, GREECE Abstract—A design approach to create small-sized high-speed implementation of the new version of Secure Hash Algorithm is proposed. The resulted design can be easily embedded to operate in HMAC IP cores, providing a high degree of security. The proposed implementation does not introduce significant area penalty, compared to other competitive designs. However the achieved throughput presents an increase compared to commercially available IP cores that range from 43%-1830%. I. INTRODUCTION Hash functions are common and critical cryptographic primitives. Their primary application is combined use with public-key cryptosystems in digital signature schemes. By far the most widespread hash functions are SHA-1 (Secure Hash Algorithm-1), a revised version of the NIST American federal standard [1], and MD5 (Message Digest) [2]. These two hash functions are widely known for being used in the Keyed-Hash Message Authentication Code (HMAC) [3], which is met in numerous communication applications, to address authentication issues. However, due to the ever increasing demand for security, a new version of the Secure Hash Algorithm [1] has been introduced. The new version of SHA (commonly named SHA-2) satisfies various needs of applications and comes in a variety of configurations. The most widely known is the SHA-512 version, which produces a message digest of 512 bits. The latter hash function is considered for inclusion in many applications, replacing existing SHA-1. The SHA hash functions were selected for the Digital Signature Algorithm (DSA), as specified in the Digital Signature Standard (DSS) [4], and whenever a secure hash algorithm is required for federal applications. The latter hash functions are used widely in the field of communications, where until nowadays throughput of the cryptographic systems’ was not required to be high. However, since the use of the HMAC in the IPSec [5], e-payment and VPN applications, the throughput of the cryptographic system, especially the server, has to reach the highest degree of throughput. The high-speed requirement of the hash value calculation is strongly related to the streamlined communication of two subscribers of the latter mentioned applications. Especially in these applications that transmission and reception rates are high, any latency or delay on calculating the digital signature of the data packet leads to degradation of the network’s quality of service. Software implementations are presenting unacceptable performance for high-speed applications. Additionally, most of the proposed implementations didn’t consider that the products introduced to the market tend to be as small as possible. The latter facts were a strong motivation to propose a novel hardware implementation of the SHA-512, with many differences from existing competitive implementations. The proposed implementation was developed as an IP core, in order to be reused in a variety of applications, allowing integration in FPGA or ASIC technologies. Thus, this paper aims to provide a low-cost design approach, compared to the proposed solutions from both academia and industry, in order to satisfy the requirements of the new communication applications. The proposed implementation introduces a negligible area penalty; increasing the throughput and keeping the area small enough as required by most portable communication devices. The main contribution of this work is the design approach to optimize performance without introducing extra area. Furthermore, power dissipation is kept low in contrast to existing implementations of similar throughput and size. The rest of this paper is organized as follows. In Section II, the implementation of SHA-512 is presented, as it is proposed by the standard [1]. In Section III the proposed implementation is presented in depth, providing details regarding the architecture, the logic and the modifications to decrease the critical path, and the characteristics of the circuit that are expected. In Section IV the proposed SHA- 512 is implemented for an FPGA technology and it is compared to other implementations. Finally, in Section V the paper concludes. II. EXISTING IMPLEMENTATION OF SHA-512 The Secure Hash Standard [1] describes in detail the SHA-512 hash function. SHA-512 may be used to hash an k- bits message, where 0≤ k< 2 128 . During preprocessing phase We thank European Social Fund (ESF), Operational Program for Educational and Vocational Training II (EPEAEK II) and particularly the program PYTHAGORAS.