Test vectors HMAC-SHA-512/256 and .../224

1127 views
Skip to first unread message

Wolfgang Ehrhardt

unread,
Feb 17, 2011, 3:04:16 PM2/17/11
to
On Feb. 11. 2011 NIST announced the public draft FIPS 180-4
<http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4>
and associated test vectors for the new hash algorithms
SHA-512/224 and SHA-512/256.

Can anybody confirm the following test vectors for the
corresponding HMAC algorithms? I calculated them for the
test cases 1 and 2 from RFC 4231.

Thank you
Wolfgang


Test Case 1
-------------------------------------------------------------
Key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
0b0b0b0b (20 bytes)
Data = 4869205468657265 ("Hi There")

HMAC-SHA512/224 = b244ba01307c0e7a8ccaad13b1067a4c
f6b961fe0c6a20bda3d92039
HMAC-SHA512/256 = 9f9126c3d9c3c330d760425ca8a217e3
1feae31bfe70196ff81642b868402eab


Test Case 2
-------------------------------------------------------------
Key = 4a656665 ("Jefe")
Data = 7768617420646f2079612077616e7420 ("what do ya want ")
666f72206e6f7468696e673f ("for nothing?")

HMAC-SHA512/224 = 4a530b31a79ebcce36916546317c45f2
47d83241dfb818fd37254bde
HMAC-SHA512/256 = 6df7b24630d5ccb2ee335407081a8718
8c221489768fa2020513b2d593359456

Globemaker

unread,
Feb 22, 2011, 12:21:30 AM2/22/11
to
On Feb 17, 3:04 pm, W...@completely.invalid (Wolfgang Ehrhardt) wrote:
> On Feb. 11. 2011 NIST announced the public draft FIPS 180-4
> <http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4>
> and associated test vectors for the new hash algorithms
> SHA-512/224 and SHA-512/256.
>
> Can anybody confirm the following test vectors for the
> corresponding HMAC algorithms? I calculated them for the
> test cases 1 and 2 from RFC 4231.
>
> Thank you
> Wolfgang
>
> Test Case 1
> -------------------------------------------------------------
> Key  = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
>        0b0b0b0b                          (20 bytes)
> Data = 4869205468657265                  ("Hi There")
> HMAC-SHA512/256 = 9f9126c3d9c3c330d760425ca8a217e3
>                   1feae31bfe70196ff81642b868402eab
>

I tried to duplicate the result, but a different value was obtained.
b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7

Maybe the endian issue is my possible mistake. I will try again
tomorrow to debug my program in perl :


# hmac_32.pl 2/21/2011
# Perl for Popular Cryptography Magazine, Connecticut Office
use strict;
use warnings;
# my $key20 =

0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b00000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000;
# my $ipad64 =

0x363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363636363

63636;
# my $opad64 =

0x5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5

c5c5c;

my $key4 = 0x0b0b0b0b;
print "key4 binary and hex\n";
print "00";
printf "%b ", $key4;
print "0";
printf "%x \n", $key4;

my $ipad4 = 0x36363636;
print "ipad4 binary and hex\n";
printf "%b ", $ipad4;
printf "%x \n", $ipad4;

my @t = [0,0,0,0,0,0,0,0];
my $opad4 = 0x5c5c5c5c;
print "opad4 binary and hex\n";
printf "%b ", $opad4;
printf "%x \n", $opad4;

my $message1 = 0x48692054;
my $message2 = 0x68657265;
my $s1 = $key4^$ipad4;

print "s1 binary and hex\n";
printf "%b ", $s1;
printf "%x \n", $s1;

print "What 2 files in c:/openssl/bin will get this binary number to
input to hash in OpenSSL?\n";
print "Enter the filename, like gg\n";
my $giant_file=<STDIN>;
chomp $giant_file;
my $file_out = "c:/openssl/bin/$giant_file".".txt";
my $binary_out = "c:/openssl/bin/$giant_file".".bin";
open(OUT, ">$file_out") or die "Can't open $file_out : $!";
open(OUTBIN, ">$binary_out") or die "Can't open $binary_out : $!";


my $binary_out2 = "c:/openssl/bin/$giant_file"."2.bin";
open(OUTBIN2, ">$binary_out2") or die "Can't open $binary_out2 : $!";
binmode(OUTBIN2);
# need to repeat the 4 byte words to make 64 byte value plus 8 message
bytes

printf "%x",$s1;
printf "%x",$s1;
printf "%x",$s1;
printf "%x",$s1;
printf "%x",$s1;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$ipad4;
printf "%x",$message1;
printf "%x",$message2;

printf OUT "%x",$s1;
printf OUT "%x",$s1;
printf OUT "%x",$s1;
printf OUT "%x",$s1;
printf OUT "%x",$s1;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$ipad4;
printf OUT "%x",$message1;
printf OUT "%x",$message2;


print OUTBIN pack("N",$s1);
print OUTBIN pack("N",$s1);
print OUTBIN pack("N",$s1);
print OUTBIN pack("N",$s1);
print OUTBIN pack("N",$s1);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$ipad4);
print OUTBIN pack("N",$message1);
print OUTBIN pack("N",$message2);
close (OUT);
close (OUTBIN);
print "\nstuff sent to $file_out and .bin \n";

# first hash was
92ab4d9a1f3b6152bca9dd9e69af43f4ce99e42fd4e30ff972c48025b9f9cfef

$t[0] = 0x92ab4d9a;
$t[1] = 0x1f3b6152;
$t[2] = 0xbca9dd9e;
$t[3] = 0x69af43f4;
$t[4] = 0xce99e42f;
$t[5] = 0xd4e30ff9;
$t[6] = 0x72c48025;
$t[7] = 0xb9f9cfef;

$s1 = $key4^$opad4;
print OUTBIN2 pack("N",$s1);
print OUTBIN2 pack("N",$s1);
print OUTBIN2 pack("N",$s1);
print OUTBIN2 pack("N",$s1);
print OUTBIN2 pack("N",$s1);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
print OUTBIN2 pack("N",$opad4);
my $i = 0;
for ($i=0; $i<8; $i++)
{
printf "%x\n", $t[$i];
print OUTBIN2 pack("N",$t[$i]);
}


close (OUTBIN2);
exit();
# TWO HASHES FOR HMAC
# openssl dgst -sha256 hh.bin
# openssl dgst -sha256 mm2.bin
# input for second hash
# WWWWWWWWWWWWWWWWWWWW\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\’«Mš ;aR¼©Ýži¯CôΙä/Ôã ùrÄ€%¹ùÏï
# second hash
b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7

Paul Rubin

unread,
Feb 22, 2011, 2:21:51 AM2/22/11
to
W...@completely.invalid (Wolfgang Ehrhardt) writes:
> On Feb. 11. 2011 NIST announced the public draft FIPS 180-4
> <http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4>
> and associated test vectors for the new hash algorithms
> SHA-512/224 and SHA-512/256.
>
> Can anybody confirm the following test vectors for the
> corresponding HMAC algorithms? I calculated them for the
> test cases 1 and 2 from RFC 4231.

Do you still want help with this? I've been meaning to get around to
doing some tests, but some time has gone by since your post.
I'm trying to code it up right now.

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 2:55:45 AM2/22/11
to
On Mon, 21 Feb 2011 21:21:30 -0800 (PST), Globemaker
<alanfo...@cabanova.com> wrote:
># TWO HASHES FOR HMAC
># openssl dgst -sha256 hh.bin
># openssl dgst -sha256 mm2.bin
># input for second hash
># second hash
>b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7

Thank you for your effort. But I doubt that you can calculate/verify
these test vectors with openssl. They are very new, they are NOT
SHA256 but SHA512 with different initial values.

Wolfgang

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 3:00:14 AM2/22/11
to

Yes, because I still do not know any test HMAC test vectors. Of course
I tested the underlying Hash routines and they reproduce the data
published by NIST.

Wolfgang

Paul Rubin

unread,
Feb 22, 2011, 5:10:37 AM2/22/11
to
W...@completely.invalid (Wolfgang Ehrhardt) writes:
> Can anybody confirm the following test vectors for the
> corresponding HMAC algorithms? I calculated them for the
> test cases 1 and 2 from RFC 4231.
> Test Case 1 ...

My output does not match yours for any of the tests. I'll
check tomorrow if I've done something obviously wrong.

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 6:18:05 AM2/22/11
to
On Tue, 22 Feb 2011 02:10:37 -0800, Paul Rubin
<no.e...@nospam.invalid> wrote:

>> Can anybody confirm the following test vectors for the
>> corresponding HMAC algorithms? I calculated them for the
>> test cases 1 and 2 from RFC 4231.
>> Test Case 1 ...
>
>My output does not match yours for any of the tests. I'll
>check tomorrow if I've done something obviously wrong.

Thank you in advance! Here are some of my intermediate data for the
very first test case. The block length is 128 bytes/octets.

key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b

data = 4869205468657265

key xor ipad =
3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636

inner_hash = SHA512_224(key xor ipad || data)
7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009

key xor opad =
57575757575757575757575757575757575757575c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c

HMAC = SHA512_224(key xor opad || inner_hash)
4a530b31a79ebcce36916546317c45f247d83241dfb818fd37254bde


Paul Rubin

unread,
Feb 22, 2011, 6:59:25 AM2/22/11
to
W...@completely.invalid (Wolfgang Ehrhardt) writes:
> key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
> data = 4869205468657265

Yes

> key xor ipad =
> 3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636

Yes

> inner_hash = SHA512_224(key xor ipad || data)
> 7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009

I have

1ed1f8f363357a573a4d946c17d6bb7ef09f1d8247589fb0179aa900

for this, but I may be messing up somehow. I'll test my implementation
with some other hash functions with known HMAC vectors.

Paul Rubin

unread,
Feb 22, 2011, 8:21:11 AM2/22/11
to
Paul Rubin <no.e...@nospam.invalid> writes:
> I have
> 1ed1f8f363357a573a4d946c17d6bb7ef09f1d8247589fb0179aa900
> for this, but I may be messing up somehow. I'll test my implementation
> with some other hash functions with known HMAC vectors.

I get correct hmac values with sha1 and md5, and the sha512/224
implementation gets the right results for the NIST test strings from

http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/HMAC_SHA224.pdf

Not sure what to try next.

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 9:40:31 AM2/22/11
to

This is not the correct document because it is about HMAC_SHA224 not
about the EW HMAC_SHA512/224. Unfortunately NIST does not yet provide
test vectors for HMAC with the new Hash algorithms (only for the
Hashes) otherwise I would have a source to work with.

Are you sure that you are working with the new hash algorithms from
<http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf>?
(NIST site seems to be messed up, so the link from my first post is
not valid). The new SHA512/224 and SHA512/256 use truncated values
from a modified SHA512 (IVs are different).

BTW: There is a copy and paste on my intermediate values (the last
line was from the second test case), but as you already have different
figures my error is not so severe :) The correct values are:

key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b

data = 4869205468657265

key xor ipad =
3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636

inner_hash = SHA512_224(key xor ipad || data)
7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009

key xor opad =
57575757575757575757575757575757575757575c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c

HMAC = SHA512_224(key xor opad || inner_hash)

b244ba01307c0e7a8ccaad13b1067a4cf6b961fe0c6a20bda3d92039


Globemaker

unread,
Feb 22, 2011, 10:53:54 AM2/22/11
to
Is it true that there is no software available for me to run
SHA512_224 and that I would need to write a new program to get
SHA512_224 outputs?

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 12:24:30 PM2/22/11
to

I do not know any published software with SHA521/224 and/or SHA512/256
support. Remember NIST announced the new algorithms 11 days ago.

There is the eprint document 548 "SHA-512/256" from 2010 by S.Gueron,
S.Johnson, J.Walker, but they used other initialization constants.

One of the main design goals for the new algorithms is to speedup hash
calculation for 224/256 bit digests on 64 bit platforms using existing
SHA512 code.

I am sure there will be software and HMAC test vectors in the near
future (I am just working an a Pascal/Delphi implementation).

You can use existing SHA512 implementations IF (a big IF) you
can externally setup their initialization constants and truncate the
512 bit digest to 224 bit.

Paul Rubin

unread,
Feb 22, 2011, 1:59:58 PM2/22/11
to
W...@completely.invalid (Wolfgang Ehrhardt) writes:
> Are you sure that you are working with the new hash algorithms from
> <http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf>?

Yes, I am using the implementation from here:
http://hackage.haskell.org/packages/archive/cryptohash/0.6.3/doc/html/Crypto-Hash-SHA512t.html

> (NIST site seems to be messed up, so the link from my first post is
> not valid).

That happened to me too. Try reloading until it works. I think they
have load-balanced mirrored servers and not all of the mirrors are
updated yet.

Oh wait, now they seem to be down altogether, instead of intermittently
missing the new files. Maybe they're in the process of getting the
mirrors straightened out.

> BTW: There is a copy and paste on my intermediate values (the last
> line was from the second test case), but as you already have different
> figures my error is not so severe :) The correct values are:
>
> key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b

My version: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b

> data = 4869205468657265

My version: 4869207468657265

> key xor ipad =
> 3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636
> 3636363636363636363636363636363636363636363636363636363636363636

My version:
3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636
3636363636363636363636363636363636363636363636363636363636363636

> inner_hash = SHA512_224(key xor ipad || data)
> 7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009

My version: 1ed1f8f363357a573a4d946c17d6bb7ef09f1d8247589fb0179aa900

> key xor opad =
> 57575757575757575757575757575757575757575c5c5c5c5c5c5c5c5c5c5c5c
> 5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
> 5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
> 5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c

My version:
57575757575757575757575757575757575757575c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c
5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c5c

> HMAC = SHA512_224(key xor opad || inner_hash)
> b244ba01307c0e7a8ccaad13b1067a4cf6b961fe0c6a20bda3d92039

My version: cf1fb9843d01130bf2cc62c1c6f2515e31e19660b3d52d4a77e5dccf

Please also try:

sha512_224("abc") =
4634270f707b6a54daae7530460842e20e37ed265ceee9a43e8924aa

sha512_224("Hi there") =
9aab5d13e3177bbb44e5aa0b20ec551e3a9633baae1f38e2df55ae4d

sha512_224(key xor ipad) =
c2d722064c8251873915aa892ed47c50cf7256209c2f67f24fadd3be

sha512_224(message || key_xor_ipad) =
d1b11e790493776da63e0849c7cf2c46ea70cf7582ba38e598b82c3e
(this is the inner hash with the two parts swapped)

Paul Rubin

unread,
Feb 22, 2011, 3:31:17 PM2/22/11
to
Paul Rubin <no.e...@nospam.invalid> writes:
>> data = 4869205468657265
> My version: 4869207468657265

Wait, this is the problem. You have "Hi There" and I have "Hi there".
Trying again (the "traceHex" number is the inner hash): I get agreement
with your output on the first test case but not the second.

(Hash:SHA512/224,Key: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b,"Hi There")
("traceHex","7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009")
HMAC: b244ba01307c0e7a8ccaad13b1067a4cf6b961fe0c6a20bda3d92039

(Hash:SHA512/256,Key: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b,"Hi There")
("traceHex","c271a8888c010a0e78d93b6f1fe29784c6b1fef17136e366cb20567e3eb0a63d")
HMAC: 9f9126c3d9c3c330d760425ca8a217e31feae31bfe70196ff81642b868402eab

(Hash:SHA512/224,Key: 4a656665,"what do ya want for nothing?")
("traceHex","71409f70fb1abe6d6d8c9124dd430605d6ab7545bfeae982161ba3c6")
HMAC: 4a530b31a79ebcce36916546317c45f247d83241dfb818fd37254bde

(Hash:SHA512/256,Key: 4a656665,"what do ya want for nothing?")
("traceHex","a989a3ce40fb0bee416143f225fc870dd12bb7be837080812033019d4d96fb78")
HMAC: 6df7b24630d5ccb2ee335407081a87188c221489768fa2020513b2d593359456

Silly check: SHA1("what do ya want for nothing?") =
"8f820394f95335182045da24f34de52bf8bc3432"

micha8s

unread,
Feb 22, 2011, 4:01:53 PM2/22/11
to
Wolfgang,

A colleague of mine has used his own tools to verify your results. In
addition, we have generated the same results using a third, completely
independent method.

mt

Thomas Pornin

unread,
Feb 22, 2011, 4:04:14 PM2/22/11
to
According to Wolfgang Ehrhardt <W...@completely.invalid>:

> On Feb. 11. 2011 NIST announced the public draft FIPS 180-4
> <http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4>
> and associated test vectors for the new hash algorithms
> SHA-512/224 and SHA-512/256.
>
> Can anybody confirm the following test vectors for the
> corresponding HMAC algorithms?

I confirm. My implementation of SHA-512/224 and SHA-512/256 matches
the test vectors from:
http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_224.pdf
http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_256.pdf

When I use that implementation with my generic HMAC code, I get the
same vectors than you:

> Test Case 1
> -------------------------------------------------------------
> Key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
> 0b0b0b0b (20 bytes)
> Data = 4869205468657265 ("Hi There")
>
> HMAC-SHA512/224 = b244ba01307c0e7a8ccaad13b1067a4c
> f6b961fe0c6a20bda3d92039
> HMAC-SHA512/256 = 9f9126c3d9c3c330d760425ca8a217e3
> 1feae31bfe70196ff81642b868402eab
>
>
> Test Case 2
> -------------------------------------------------------------
> Key = 4a656665 ("Jefe")
> Data = 7768617420646f2079612077616e7420 ("what do ya want ")
> 666f72206e6f7468696e673f ("for nothing?")
>
> HMAC-SHA512/224 = 4a530b31a79ebcce36916546317c45f2
> 47d83241dfb818fd37254bde
> HMAC-SHA512/256 = 6df7b24630d5ccb2ee335407081a8718
> 8c221489768fa2020513b2d593359456


I am pretty sure that my HMAC code is correct, since it matches
published test vectors from RFC 2104, has been used in several products
with proper interoperability (in particular as part of SSL/TLS clients
and servers), and yields the same outputs than the HMAC implementation
which comes with Sun/Oracle JDK 1.6.0.


--Thomas Pornin

Paul Rubin

unread,
Feb 22, 2011, 4:08:41 PM2/22/11
to
Paul Rubin <no.e...@nospam.invalid> writes:
> Wait, this is the problem. You have "Hi There" and I have "Hi there".
> Trying again (the "traceHex" number is the inner hash): I get agreement
> with your output on the first test case but not the second.

I'm not sure what was wrong with the second set last time, since I
didn't change anything significant, but now I get complete agreement
with your results. Micha8s also gets matching results so I think we
probably have this figured out. I may have had a stray intermediate
file with wrong data in it or something, when I got the erroneous result
in my previous post.

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 4:33:27 PM2/22/11
to
On Tue, 22 Feb 2011 12:31:17 -0800, Paul Rubin
<no.e...@nospam.invalid> wrote:

>Paul Rubin <no.e...@nospam.invalid> writes:
>>> data = 4869205468657265
>> My version: 4869207468657265
>
>Wait, this is the problem. You have "Hi There" and I have "Hi there".
>Trying again (the "traceHex" number is the inner hash): I get agreement
>with your output on the first test case but not the second.

?? Here I cannot follow, but see below


>
>(Hash:SHA512/224,Key: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b,"Hi There")
>("traceHex","7ef95eae85fba647ab9f91c1c0e855a9427e899b9d2eb2dc1a595009")
>HMAC: b244ba01307c0e7a8ccaad13b1067a4cf6b961fe0c6a20bda3d92039
>
>(Hash:SHA512/256,Key: 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b,"Hi There")
>("traceHex","c271a8888c010a0e78d93b6f1fe29784c6b1fef17136e366cb20567e3eb0a63d")
>HMAC: 9f9126c3d9c3c330d760425ca8a217e31feae31bfe70196ff81642b868402eab
>
>(Hash:SHA512/224,Key: 4a656665,"what do ya want for nothing?")
>("traceHex","71409f70fb1abe6d6d8c9124dd430605d6ab7545bfeae982161ba3c6")
>HMAC: 4a530b31a79ebcce36916546317c45f247d83241dfb818fd37254bde
>
>(Hash:SHA512/256,Key: 4a656665,"what do ya want for nothing?")
>("traceHex","a989a3ce40fb0bee416143f225fc870dd12bb7be837080812033019d4d96fb78")
>HMAC: 6df7b24630d5ccb2ee335407081a87188c221489768fa2020513b2d593359456
>

All your latest HMAC values are the same as in my first post.

Thank very much for your effort and patience. I will consider these
test cases as preliminary verified.

Wolfgang

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 4:33:28 PM2/22/11
to
On Tue, 22 Feb 2011 13:01:53 -0800 (PST), micha8s <mich...@gmail.com>
wrote:

>Wolfgang,
>
>A colleague of mine has used his own tools to verify your results. In
>addition, we have generated the same results using a third, completely
>independent method.
>
>mt

Dear mt/micha8s,

many tanks to you and your colleague to this second verification.

Wolfgang

Wolfgang Ehrhardt

unread,
Feb 22, 2011, 4:38:08 PM2/22/11
to
On 22 Feb 2011 21:04:14 GMT, Thomas Pornin <por...@bolet.org> wrote:

>According to Wolfgang Ehrhardt <W...@completely.invalid>:
>> On Feb. 11. 2011 NIST announced the public draft FIPS 180-4
>> <http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4>
>> and associated test vectors for the new hash algorithms
>> SHA-512/224 and SHA-512/256.
>>
>> Can anybody confirm the following test vectors for the
>> corresponding HMAC algorithms?
>
>I confirm. My implementation of SHA-512/224 and SHA-512/256 matches
>the test vectors from:
> http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_224.pdf
> http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA512_256.pdf
>
>When I use that implementation with my generic HMAC code, I get the
>same vectors than you:

>


>I am pretty sure that my HMAC code is correct, since it matches
>published test vectors from RFC 2104, has been used in several products
>with proper interoperability (in particular as part of SSL/TLS clients
>and servers), and yields the same outputs than the HMAC implementation
>which comes with Sun/Oracle JDK 1.6.0.

Thomas,

Thank you very much for this third confirmation.

Wolfgang

Paul Rubin

unread,
Feb 22, 2011, 4:46:40 PM2/22/11
to
W...@completely.invalid (Wolfgang Ehrhardt) writes:
>>Wait, this is the problem. You have "Hi There" and I have "Hi there".
>>Trying again (the "traceHex" number is the inner hash): I get agreement
>>with your output on the first test case but not the second.
>
> ?? Here I cannot follow, but see below

I just meant you had the word "There" capitalized in "Hi There" and I
had it in lower case.

> All your latest HMAC values are the same as in my first post.

You are right, they match up after all. I'm sorry about the confusion.
I shouldn't do this stuff when sleepy.

Tom St Denis

unread,
Feb 23, 2011, 9:41:09 AM2/23/11
to
On Feb 22, 12:24 pm, W...@completely.invalid (Wolfgang Ehrhardt)
wrote:

> On Tue, 22 Feb 2011 07:53:54 -0800 (PST), Globemaker
>
> <alanfolms...@cabanova.com> wrote:
> >Is it true that there is no software available for me to run
> >SHA512_224 and that I would need to write a new program to get
> >SHA512_224 outputs?
>
> I do not know any published software with SHA521/224 and/or SHA512/256
> support. Remember NIST announced the new algorithms 11 days ago.
>
> There is the eprint document 548 "SHA-512/256" from 2010 by S.Gueron,
> S.Johnson, J.Walker, but they used other initialization constants.
>
> One of the main design goals for the new algorithms is to speedup hash
> calculation for 224/256 bit digests on 64 bit platforms using existing
> SHA512 code.

Because in true NIST fashion [at least on the SHS side] they wholesale
ignore anything but Quad-Mega-Core-2000 desktop PCs. It's one of the
reasons I dropped out of participating in the SHA-3 discussions.
Nobody would accept that performance on less-than-200W processors is a
useful concern.

Frankly, the only reason I can think of going to SHA-512 for a 224 or
256 bit hash is that it uses 80 rounds instead of 64. If I were
designing a protocol that needed a 256-bit hash today I'd use SHA-256
so that I'm not basically cutting out the billions of PPC/ARM
processors out there.

But what do people like me know ... we only spend all day trying to
jam crypto onto 24MHz ARM processors ... :-(

Tom

Reply all
Reply to author
Forward
0 new messages