3

At the start of each of the SHA-0 through -2 algorithms, the initial state is set to certain constants. I'm curious where the initialization values in SHA-224 are from.

  • MD5's initial values are simple increasing and decreasing patterns of hex digits.
  • SHA-0's and SHA-1's values are the same as MD5's with one additional value that is also a simple hex digit pattern.
  • SHA-256's values are the fractional bits of the square roots of primes $2$~$19$.
  • SHA-384's values are the fractional bits of the square roots of primes $23$~$53$.
  • SHA-512's values are SHA-256's values expanded out to 64 bits.

But what are SHA-224's initialization constants from? They're the only one in the SHA family that I can't find the source of. They're also not simply the square root of primes $23$~$53$ like you might expect.

Myria
  • 2,575
  • 13
  • 26

1 Answers1

7

The SHA-224 initial values are the second 32 bits of the fractional parts of the square roots of the 9th through 16th primes (namely, 23 through 53), or in other words, $\lfloor 2^{64} \sqrt{p} \rfloor \bmod 2^{32}$, for $p = 23, 29, 31, 37, 41, 43, 51, 53$

For example, the hex expansion of $\lfloor 2^{64} \sqrt{23} \rfloor = 4cbbb9d5dc1059ed8_{16}$, and so the initial value for $a$ is the last 8 hex digits, namely $c1059ed8_{16}$

Similarly, the hex expansion of $\lfloor 2^{64} \sqrt{29} \rfloor = 5629a292a367cd507_{16}$, and so the initial value for $b$ is $367cd507_{16}$

Note that the SHA-224 initial values are the lower 32 bits of the SHA-384 initial values (!).

poncho
  • 147,019
  • 11
  • 229
  • 360