sbv-8.7: SMT Based Verification: Symbolic Haskell theorem prover using SMT solving.

Copyright(c) Levent Erkok
Safe HaskellNone




Implementation of SHA2 class of algorithms, closely following the spec

We support all variants of SHA in the spec, except for SHA1. Note that this implementation is really useful for code-generation purposes from SBV, as it is hard to state (or prove!) any particular properties of these algorithms that is suitable for SMT solving.


Parameterizing SHA

data SHA w Source #

Parameterized SHA representation, that captures all the differences between variants of the algorithm. w is the word-size type.




Section 4.1.2, SHA functions

ch :: Bits a => a -> a -> a -> a Source #

The choose function.

maj :: Bits a => a -> a -> a -> a Source #

The majority function.

sum0 :: Bits a => SHA w -> a -> a Source #

The sum-0 function. We parameterize over the rotation amounts as different variants of SHA use different rotation amnounts.

sum1 :: Bits a => SHA w -> a -> a Source #

The sum-1 function. Again, parameterized.

sigma0 :: Bits a => SHA w -> a -> a Source #

The sigma0 function. Parameterized.

sigma1 :: Bits a => SHA w -> a -> a Source #

The sigma1 function. Parameterized.

SHA variants

sha224P :: SHA (SWord 32) Source #

Parameterization for SHA224.

sha256P :: SHA (SWord 32) Source #

Parameterization for SHA256. Inherits mostly from SHA224.

sha384P :: SHA (SWord 64) Source #

Parameterization for SHA384.

sha512P :: SHA (SWord 64) Source #

Parameterization for SHA512. Inherits mostly from SHA384.

sha512_224P :: SHA (SWord 64) Source #

Parameterization for SHA512_224. Inherits mostly from SHA512

sha512_256P :: SHA (SWord 64) Source #

Parameterization for SHA512_256. Inherits mostly from SHA512

Section 5, Preprocessing

newtype Block a Source #

Block is a synonym for lists, but makes the intent clear.


Block [a] 

prepareMessage :: forall w. (Num w, ByteConverter w) => SHA w -> String -> [Block w] Source #

Prepare the message by turning it into blocks. We also check for the message size requirement here. Note that this won't actually happen in practice as the input length would be > 2^64 (or 2^128), and you'd run out of memory first! Such a check

Section 6.2.2 and 6.4.2, Hash computation

hashBlock :: (Num w, Bits w) => SHA w -> [w] -> Block w -> [w] Source #

Hash one block of message, starting from a previous hash. This function corresponds to body of the for-loop in the spec. This function always produces a list of length 8, corresponding to the final 8 values of the H.

shaP :: (Num w, Bits w, ByteConverter w) => SHA w -> String -> [w] Source #

Compute the hash of a given string using the specified parameterized hash algorithm.

Computing the digest

sha224 :: String -> SWord 224 Source #

SHA224 digest.

sha256 :: String -> SWord 256 Source #

SHA256 digest.

sha384 :: String -> SWord 384 Source #

SHA384 digest.

sha512 :: String -> SWord 512 Source #

SHA512 digest.

sha512_224 :: String -> SWord 224 Source #

SHA512_224 digest.

sha512_256 :: String -> SWord 256 Source #

SHA512_256 digest.


knownAnswerTests :: Int -> Bool Source #

Collection of known answer tests for SHA. Since these tests take too long during regular regression runs, we pass as an argument how many to run. Increase the below number to 24 to run all tests. We have:

>>> knownAnswerTests 1

Code generation


It is not practical to generate SBV code for hashing an entire string, as it would require handling of a fixed size string. Instead we show how to generate code for hashing one block, which can then be incorporated into a larger program by providing the appropriate loop.

cgSHA256 :: IO () Source #

Generate code for one block of SHA256 in action, starting from an arbitrary hash value.


chunkBy :: Int -> ([a] -> b) -> [a] -> [b] Source #

Helper for chunking a list by given lengths and combining each chunk with a function

showHash :: (Show a, Integral a, SymVal a) => SBV a -> String Source #

Nicely lay out a hash value as a string