[Cryptech Tech] Padding in hash cores?

[Fredrik Thulin]

On Thursday 06 February 2014 09.59.42 Joachim Strömbergson wrote:
> Aloha!
> 
> The current HW implementation of SHA-256 (and SHA-1) do not pad the
> message, but expects that the caller pads the message. Basically the
> core supports an initial message block followed by zero or more message
> blocks. For each block the core calculates and returns the digest. The
> caller therefore needs to pad the last block according to FIPS 180-4 if
> the result are going to be compatible with the standard.
> 
> I've seen the padding as a low complexity operation done at the end of a
> message that SW can handle, SW that probably anyway needs to keep track
> of the message length. This separation removes some complexity in the HW
> by being message length agnostic.

Sounds like the sane approach to me, for the FPGA.
 
> But is this what SW would expect from a HSM providing hashing? I would
> assume that a HSM containing both HW and SW parts would do this
> separation of duties. When you (SW developers) in the project think
> about the architecture, what are your expectations?
> 
> Do you want to handle the padding or just divide the messsage into
> blocks and for the final block just inform the core that it is the last
> block and how much data that block contains?

It seems reasonable to me that the FPGA expects fixed size blocks, and the 
layer above (MCU) does any necessary padding.

Unless there are any apparent downsides to this, I would prefer to not have to 
make sure every client library (meaning the computer side API) gets that 
right.

/Fredrik