---

SHA_d-256 Test Vectors

SHA_d-256 (also written as SHA_d-256, SHA_d256, SHAd256, etc.) is an iterative hash function introduced by Niels Ferguson and Bruce Schneier in their book, Practical Cryptography. Like NMAC and HMAC, SHA_d-256 is designed to avoid length extensions that are possible with ordinary SHA-256 (and most other iterative hash functions). This page provides test vectors for SHA_d-256, which are missing from the book.

SHA_d-256 is defined as follows:

SHA_d-256(m) := SHA-256(SHA-256(m))

As of this writing, SHA_d-256 has not received much peer review, so using it instead of HMAC-SHA-256 is not recommended. The main purpose of posting these test vectors is to aid implementation of Fortuna (also introduced in Practical Cryptography), which uses SHA_d-256.

Download

Download the test vectors: SHAd256_Test_Vectors.txt (1.2 MB US-ASCII plain text).

SHA256 sum: aa9001bb6ebab8902e19c522fe2dc079dadb5267529d1e4cada1cfd99b2c28a1

File format

Each line of the file that starts with a colon (':') is a test vector. Lines without a colon in the first column should be ignored.

After the colon, each test vector consists of several values separated by white-space. The values are, in order:

1. A string that identifies the test vector. Each test vector has its own identifier.
2. The length in octets of the input data.
3. A hexadecimal representation of the input data, the string "MILLION_a", or the string "RC4" (see below).
4. A hexadecimal representation of the ordinary SHA-256 hash of the input data.
5. A hexadecimal representation of the SHA_d-256 hash of the input data.

The following special cases are defined:

• If the input data field (field #3) is "MILLION_a", then the input data is "a" (ASCII 97) repeated 1,000,000 times.
• If the input data field (field #3) is "RC4", then the input data is the first N bytes of the RC4 key-stream, where the key is set to zero and N is the value of the length field (field #2).

Sample test vectors

Here is a small sample of the 7583 test vectors included in the file:

Identifier	Input length (in octets)	Input data	SHA-256 hash	SHAd-256 hash
EMPTY	0	(empty string)	e3b0c44298fc1c149afbf4c8996fb924 27ae41e4649b934ca495991b7852b855	5df6e0e2761359d30a8275058e299fcc 0381534545f55cf43e41983f5d4c9456
NIST.1	3	"abc"	ba7816bf8f01cfea414140de5dae2223 b00361a396177a9cb410ff61f20015ad	4f8b42c22dd3729b519ba6f68d2da7cc 5b2d606d05daed5ad5128cc03e6c6358
NIST.3	1000000	("a" repeated 1,000,000 times)	cdc76e5c9914fb9281a1c7e284d73e67 f1809a48a497200e046d39ccc7112cd0	80d1189477563e1b5206b2749f1afe48 07e5705e8bd77887a60187a712156688
RC4.16	16	(first 16 bytes of RC4 keystream where the key = 0) de188941a3375d3a8a061e67576e926d	067c531269735ca7f541fdaca8f0dc76 305d3cada140f89372a410fe5eff6e4d	2182d3fe9882fd597d25daf6a85e3a57 4e5a9861dbc75c13ce3f47fe98572246
RC4.55	55	(first 55 bytes of RC4 keystream where the key = 0) de188941a3375d3a8a061e67576e926d c71a7fa3f0cceb97452b4d3227965f9e a8cc75076d9fb9c5417aa5cb30fc2219 8b34982dbb629e	038051e9c324393bd1ca1978dd0952c2 aa3742ca4f1bd5cd4611cea83892d382	3b4666a5643de038930566a5930713e6 5d72888d3f51e20f9545329620485b03
RC4.2^36+128	68719476864	(first 236+128 bytes of RC4 keystream where the key = 0)	02eaeaeba71b64a97cc41c83625e497e 64d991e0966773131b143689e50bd87d	f84bef74588a23683db45304c4fa973b 09a6045b46a0be5eb0b28c4dbb2a21be

---

OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7