MESSAGE SCHEDULING FOR CRYPTOGRAPHIC HASHING

Abstract

A method of performing cryptographic hashing when mining for Bitcoin comprises causing a message scheduler to calculate a set of partially-calculated input values for a SHA256 (e.g. SHA2560 424) cryptographic compression function using values which are based on invariable portions taken from an initial input message of the input messages (e.g. 418) to be hashed. For each subsequent input message of the input messages (e.g. 418) to be hashed, a set of fully-calculated input values for the SHA256 (e.g. SHA2560 424) cryptographic compression function is calculated using the partially-calculated input values and values which are based on variable portions of the subsequent input message to be hashed. The set of fully-calculated input values is then provided for use when performing the SHA256 (e.g. SHA2560 424) cryptographic compression function in respect of the subsequent input message. This reduces the number of calculations which need to be performed by the message scheduler.

Description

FIELD

The present invention relates to the operation of a message scheduler when performing cryptographic hashing in respect of plural different input messages to be hashed. The present invention relates particularly, although not exclusively, to cryptographic hashing when mining for cryptocurrency, such as Bitcoin.

BACKGROUND

Bitcoin mining comprises applying three instances of a SHA256 cryptographic hashing function (referred to herein respectively as “SHA256₀.” “SHA256₁” and “SHA256₂”) to an input message, which is derived from a Bitcoin Block Header. SHA256₀ uses a standard initialisation vector IV and is applied to a first part of the Bitcoin Block Header. SHA256₁ then uses the message digest H₀ of SHA256₀ as an initialisation vector and is applied to a second part of the Bitcoin Block Header plus some padding. Finally, SHA256₂ again uses the standard initialisation vector IV and is applied to the message digest of SHA256₁ plus some padding.

The ultimate aim of Bitcoin mining is to find a SHA256₂ message digest or “hash” that is lower than or equal to the current Target. If the Target condition is met, then the Bitcoin Block Header in question is accepted by the Bitcoin Network and the Bitcoin miner receives a mining award. On the other hand, if the Target condition is not met, the Bitcoin miner will need to perform cryptographic hashing in respect of one or more different Bitcoin Block Headers until the specified Target condition is met.

The different Bitcoin Block Headers are generally generated by incrementing a Nonce field in the second part of the Bitcoin Block Header. In this case, since the first part of the Bitcoin Block Header remains unchanged, the output of SHA256₀ is unchanged and there is no need to re-perform SHA256₀ for each new Nonce. Once all values for the Nonce have been exhausted, then a Bitcoin Block Header that references different transactions, by way of a different HashMerkleRoot, might be considered. Since the HashMerkleRoot spans both parts of the Bitcoin Block Header, SHA256₀ then needs to be re-performed to generate a new message digest H₀, and SHA256₁ then needs to be re-applied to the second part of the Bitcoin Block Header using that new message digest H₀ as the initialisation vector.

Bitcoin mining can be extremely computationally expensive and various optimisations have therefore been proposed. For example, Rahul P. Naik, “Optimising the SHA256 Hashing Algorithm for Faster and More Efficient Bitcoin Mining”, MSc Information Security Department of Computer Science UCL, 2013, describes various optimisations which make use of the fact that certain portions of the Bitcoin Block Header remain unchanged, or are slow to change, or are merely incremented, for plural different input messages. US 2018/0006808 A1 describes further optimisations which use hardwired values for the portions of input messages that always remain the same.

The above optimisations go some way to reducing the computational burden but further optimisation, particularly relating to message scheduling, is possible. In this regard, when performing the cryptographic hashing, a message scheduler is used to calculate (from distinct portions of the input message) a set of input values for compression by the cryptographic compression function. This process of calculating the input values can contribute significantly to the computational effort required to perform the cryptographic hashing.

EP 3 095 044 A1 accordingly describes an optimisation commonly known as “ASICBoost” in which different input messages are used for SHA256₀ but in which the last 32 bits of the HashMerkleRoot in the Bitcoin Block Header, which are used to derive the input message for SHA256₁, are kept the same. This is achieved either by identifying multiple instances of HashMerkleRoot that collide in the last 32 bits (commonly known as “Covert ASICBoost”) or by incrementing the Version in the Bitcoin Block Header (commonly known as “Overt ASICBoost”). The same message schedule for SHA256₁ can then be reused for multiple outputs of SHA256₀. Pham et al, “Double SHA-256 Hardware Architecture With Compact Message Expander for Bitcoin Mining”. IEEE Access, Volume 8, 2020, pp. 139634-139646, also describes avoiding certain message scheduler calculations for SHA256₁ and SHA256₂ where the input values will always have the value 0x00000000.

It is desired to provide further improvements relating to message scheduling for cryptographic hashing.

SUMMARY

According to an aspect of the present invention there is provided a method of performing cryptographic hashing in respect of plural different input messages to be hashed, the method comprising:

• • causing a message scheduler to:
  • calculate a set of one or more partially-calculated input values for a cryptographic compression function using one or more values based on one or more invariable portions of an initial input message to be hashed, wherein corresponding ones of the invariable portions do not vary across the plural different input messages to be hashed; and
  • for each of one or more subsequent input messages to be hashed:
  • calculate a set of fully-calculated input values for the cryptographic compression function, wherein calculating the set of fully-calculated input values comprises performing calculations using one or more of the partially-calculated input values and one or more values based on one or more variable portions of the subsequent input message to be hashed, wherein corresponding ones of the variable portions do vary across the plural different input messages to be hashed; and
  • provide the set of fully-calculated input values for use when performing the cryptographic compression function in respect of the subsequent input message.

According to another aspect of the present invention there is provided an apparatus for performing cryptographic hashing in respect of plural different input messages to be hashed, the apparatus comprising:

• • a message scheduler having processing circuitry configured to:
  • calculate a set of one or more partially-calculated input values for a cryptographic compression function using one or more values based on one or more invariable portions of an initial input message to be hashed, wherein corresponding ones of the invariable portions do not vary across the plural different input messages to be hashed; and
  • for each of one or more subsequent input messages to be hashed:
  • calculate a set of fully-calculated input values for the cryptographic compression function, wherein calculating the set of fully-calculated input values comprises performing calculations using one or more of the partially-calculated input values and one or more values based on one or more variable portions of the subsequent input message to be hashed, wherein corresponding ones of the variable portions do vary across the plural different input messages to be hashed; and
  • provide the set of fully-calculated input values for use when performing the cryptographic compression function in respect of the subsequent input message.

As will be appreciated, the present invention can greatly increase speed and efficiency when performing cryptographic hashing in respect of plural different input messages which have invariable portions and variable portions. In particular, the Applicant has recognised that certain input values for a cryptographic compression function may vary for plural different input messages to be hashed. This is because those variable input values are derived from message portions which vary across the plural different input messages to be hashed. However, the Applicant has identified that even those variable input values might be calculated at least in part using message portions which do not vary across the plural different input messages to be hashed. The Applicant has then recognised that those variable input values can at least be partially calculated once in respect of an initial input message using the invariable portions, and that those partially-calculated input values can then be reused to calculate fully-calculated input values for one or more subsequent input messages. This can significantly reduce the number of calculations which need to be performed when calculating the variable input values for plural different input messages to be hashed. This in turn can significantly increase the processing speed and/or can significantly reduce the processing burden placed on the apparatus used to perform the cryptographic hashing. This is in contrast to the known optimisations in which only invariable fully-calculated input values are determined in advance and then reused for plural different input messages.

In embodiments, the cryptographic hashing may be performed when mining for cryptocurrency, such as (but not limited to) Bitcoin. However, the techniques disclosed herein may equally be applied in other cryptographic hashing contexts in which plural input messages have invariable portions and variable portions.

In embodiments, the cryptographic compression function may be a SHA256 compression function. The cryptographic compression function may be a first instance cryptographic compression function (referred to herein as “SHA256₀”), a second instance cryptographic compression function (referred to herein as “SHA256₁”), or a third instance cryptographic compression function (referred to herein as “SHA256₂”). Overall, the cryptographic hashing may comprise performing plural (e.g. three) instances of a cryptographic compression function, with a message scheduler for one or more (e.g. each) instance operating in the manner of the present invention.

In embodiments, the plural different input messages to be hashed may each correspond to a different Bitcoin Block Header. The Bitcoin Block Headers may each comprise a Version field, a HashPrevBlock field, a HashMerkleRoot field, a Timestamp field, a Target field, and a Nonce field. The Bitcoin Block Headers may be padded with a Padding+Length field for the purposes of the cryptographic hashing. The one or more invariable portions and/or one or more variable portions may be distinct portions of an input message to be hashed.

In embodiments in which the cryptographic compression function is a first instance cryptographic compression function (SHA256₀), the plural different input messages to be hashed may each comprise a Version field, a HashPrevBlock field, and/or a (first) part of a HashMerkleRoot field. The one or more invariable portions may correspond to the HashPrevBlock field and/or to the (first) part of the HashMerkleRoot field. The one or more variable portions may correspond to the Version field. The Version field may be incremented across the plural different input messages. In embodiments in which the cryptographic compression function is a first instance cryptographic compression function (SHA256₀), the cryptographic compression function may use the SHA256 standard initialisation vector as the initialisation vector.

In embodiments in which the cryptographic compression function is a second instance cryptographic compression function (SHA256₁), the plural different input messages to be hashed may each comprise a (second) part of a HashMerkleRoot field, a Timestamp field, a Target field, a Nonce field, and/or a Padding+Length field. The one or more invariable portions may correspond to the (second) part of the HashMerkleRoot field, the Timestamp field, the Target field, and/or the Padding+Length field. The one or more variable portions may correspond to the Nonce field. The Nonce field may be incremented across the plural different input messages. In embodiments in which the cryptographic compression function is a second instance cryptographic compression function (SHA256₁), the cryptographic compression function may use a message digest (from a first instance cryptographic compression function (SHA256₀)) as the initialisation vector.

In embodiments in which the cryptographic compression function is a third instance cryptographic compression function (SHA256₂), the plural different input messages to be hashed may each comprise a Message Digest field (from a second instance cryptographic compression function (SHA256₁)) and a Padding+Length field. The one or more invariable portions may correspond to the Padding+Length field. The one or more variable portions may correspond to the Message Digest field. In embodiments in which the cryptographic compression function is a third instance cryptographic compression function (SHA256₂), the cryptographic compression function may use the SHA256 standard initialisation vector as the initialisation vector.

It will be appreciated that the one or more invariable portions referred to herein will not vary across the plural different input messages to be hashed, i.e. those message portions will be the same in each and every one of the plural different input messages. Moreover, it may be the case that one or more of those invariable portions will always be the same for the cryptographic hashing context (e.g. independent of any Bitcoin Block Header), such as the Padding+Length field. However, it will also be appreciated that one or more of the invariable portions may change for input messages not forming part of the plural different input messages to be processed in the manner of the present invention. For example, one or more of the invariable portions may change if there is an update to the HashPrevBlock field, HashMerkleRoot field, Timestamp field, and/or Target field. In this case, the one or more partially-calculated input values may need to be re-calculated based on a further initial input message for a further set of plural different input messages so as to again be processed in the manner of the present invention.

It will also be appreciated that the one or more variable portions referred to herein will vary across the plural different input messages to be hashed, i.e. those message portions will be different in each and every one of the plural different input messages. For example, as discussed above, those one or more variable portions may be incremented across the plural different input messages.

In embodiments, for the initial input message, the calculation of a partially-calculated input value of the set of one or more partially-calculated input values may comprise performing some, but not all, of the operations in a (e.g. SHA256) message scheduling calculation. The message scheduling calculation may comprise performing:

${\sigma }_1\left(W\left[t-2\right]\right)+W\left[t-7\right]+{\sigma }_0\left(W\left[t-15\right]\right)+W\left[t-16\right]$ $\text{where:}$ ${\sigma }_1\left(x\right)={\mathrm{ROTR}}_{17}\left(x\right)\oplus {\mathrm{ROTR}}_{19}\left(x\right)\oplus {\mathrm{SHR}}_{10}\left(x\right)$ ${\sigma }_0\left(x\right)={\mathrm{ROTR}}_7\left(x\right)\oplus {\mathrm{ROTR}}_{18}\left(x\right)\oplus {\mathrm{SHR}}_3\left(x\right)$

• • ROTR_i is a bitwise rotate right for i bits
  • SHR_i is a bitwise shift right for i bits; and
  • ⊕ is a bitwise exclusive OR

Thus, for the initial input message, the calculation of a partially-calculated input value of the set of one or more partially-calculated input values may comprise performing one or more of: an add operation; a bitwise rotate right (ROTR) operation; a bitwise shift right (SHR) operation; and a bitwise exclusive OR (⊕) operation.

In embodiments, the message scheduler may be configured to store one or more partially-calculated input values (e.g. in electronic storage such as (but not limited to) registers and/or memory). The message scheduler may be configured to retrieve one or more partially-calculated input values (e.g. from the electronic storage) prior to performing calculations using one or more of the partially-calculated input values.

In embodiments, for a subsequent input message to be hashed, the calculation of a fully-calculated input value of the set of fully-calculated input values may comprise performing some, but not all, of the operations (e.g. performing the remaining operations) in a (e.g. SHA256) message scheduling calculation. Again, the message scheduling calculation may comprise performing:

${\sigma }_1\left(W\left[t-2\right]\right)+W\left[t-7\right]+{\sigma }_0\left(W\left[t-15\right]\right)+W\left[t-16\right]$ $\text{where:}$ ${\sigma }_1\left(x\right)={\mathrm{ROTR}}_{17}\left(x\right)\oplus {\mathrm{ROTR}}_{19}\left(x\right)\oplus {\mathrm{SHR}}_{10}\left(x\right)$ ${\sigma }_0\left(x\right)={\mathrm{ROTR}}_7\left(x\right)\oplus {\mathrm{ROTR}}_{18}\left(x\right)\oplus {\mathrm{SHR}}_3\left(x\right)$

• • ROTR_i is a bitwise rotate right for i bits
  • SHR_i is a bitwise shift right for i bits; and
  • ⊕ is a bitwise exclusive OR

Thus, for a subsequent input message to be hashed, the calculation of a fully-calculated input value of the set of fully-calculated input values may comprise performing one or more of: an add operation; a bitwise rotate right (ROTR) operation; a bitwise shift right (SHR) operation; and a bitwise exclusive OR (⊕) operation.

In embodiments, for each subsequent input message to be hashed, the calculation of a fully-calculated input value may also comprise adding a round-specific constant to the fully-calculated input value. Adding a round-specific constant may be performed by the message scheduler. Alternatively, adding a round-specific constant may be performed by a message compressor that performs the cryptographic compression function in respect of the subsequent input message.

In embodiments, the message scheduler may be further configured to derive a set of one or more incrementable fully-calculated input values for the cryptographic compression function based on one or more incremented portions of the initial input message to be hashed, wherein the one or more incremented portions will be incremented across the plural different input messages to be hashed. The message scheduler may be further configured to store one or more of the incrementable fully-calculated input values (e.g. in electronic storage such as (but not limited to) registers and/or memory). The message scheduler may be further configured to retrieve the one or more incrementable fully-calculated input values (e.g. from the electronic storage). For each of the one or more subsequent input messages, the process of calculating the set of fully-calculated input values may comprise calculating a set of one or more incremented fully-calculated input values for the cryptographic compression function by incrementing the one or more incrementable fully-calculated input values. The set of one or more incremented fully-calculated input values may then be provided for use when performing the cryptographic compression function in respect of the subsequent input message. The set of one or more incremented fully-calculated input values may also be used as the set of one or more incrementable fully-calculated input values for the next subsequent input message.

In embodiments in which the cryptographic compression function is a first instance cryptographic compression function (SHA256₀), the one or more incremented portions may correspond to the Version field. In embodiments in which the cryptographic compression function is a second instance cryptographic compression function (SHA256₁), the one or more incremented portions may correspond to the Nonce field.

In embodiments, the message scheduler may be further configured to derive a set of one or more invariable fully-calculated input values for the cryptographic compression function based (e.g. solely) on one or more invariable portions of the initial input message to be hashed, wherein corresponding ones of the invariable portions do not vary across the plural different input messages to be hashed. The message scheduler may be further configured to store one or more of the invariable fully-calculated input values (e.g. in electronic storage such as (but not limited to) registers and/or memory). The message scheduler may be further configured to retrieve the one or more invariable fully-calculated input values (e.g. from the electronic storage). One or more of the invariable fully-calculated input values may, for example, be stored in non-volatile memory. One or more of the invariable fully-calculated input values may also or instead be hardwired, for example in cases where those invariable fully-calculated input values will always be the same for the cryptographic hashing context (e.g. independent of any Bitcoin Block Header). The set of one or more invariable fully-calculated input values may then be provided for use when performing the cryptographic compression function in respect of the subsequent input message.

The Applicants have further identified that, due to the calculation of input values based on an initial input message, certain calculations which are needed when performing full calculation of input values in respect of a subsequent input message can be performed in parallel. This is because some calculations required when calculating the one or more fully-calculated input values for the subsequent input message will already have been performed when calculating the input values for the initial input message. This can allow for parallel calculation of the fully-calculated input values for the subsequent input message.

Thus, in embodiments, calculating the set of one or more fully-calculated input values for a subsequent input message may comprise calculating a first set of fully-calculated input values for the subsequent input message and calculating a second set of fully-calculated input values for the subsequent input message, wherein calculation of the first set of fully-calculated input values is performed in parallel with calculation of the second set of fully-calculated input values. In embodiments, one or more of the first set of fully-calculated input values may be used when calculating one or more of the second set of fully-calculated values and one or more of the second set of fully-calculated input values may be used when calculating one or more of the first set of fully-calculated values. These embodiments can significantly increase the processing speed by introducing parallelism to the message scheduler.

As will be appreciated, where there are variable fully-calculated input values which cannot make use of one or more invariable portions in the manner described herein, calculating the set of fully-calculated input values for a subsequent input message may further comprise fully calculating those variable fully-calculated input values using the full message scheduling calculation.

As will also be appreciated, embodiments may further comprise, for each of one or more subsequent input messages, causing a message compressor to perform the cryptographic compression function in respect of the subsequent input message using the set of fully-calculated input values to generate a message digest. The message digest from one instance may be passed to a subsequent instance (in the case of SHA256₀ and SHA256₁) or may be compared to the Target (in the case of SHA256₂).

Embodiments can be implemented in any desired and suitable data processing apparatus, such as any suitably configured computer-based, processor-based, and/or circuitry-based, system. Similarly, the various functions of the apparatus described herein can be carried out in any desired and suitable manner. For example, the functions of the apparatus described herein may be implemented in hardware and/or software as desired. Thus, unless otherwise indicated, the various functional elements described herein may, for example, comprise a suitable processor or processors, controller or controllers, functional unit or units, circuitry, processing logic, microprocessor arrangements, etc., that are operable to perform the various functions, etc., such as appropriately dedicated hardware elements (processing circuitry) and/or programmable hardware elements (processing circuitry) that are configured to operate in the desired manner. In embodiments, the apparatus may comprise one or more integrated circuits, such as one or more ASICs (Application-Specific Integrated Circuits) and/or FPGAs (Field-Programmable Gate Arrays). In embodiments, the apparatus may comprise, and/or may be in communication with, one or more electronic storage devices that store the data (e.g. input message data, partially-calculated input values, fully-calculated input values, round-specific constants, initialisation vectors, message digests, etc.) as described herein.

BRIEF DESCRIPTION OF DRAWINGS

By way of example only, embodiments of the present invention will now be described in detail with reference being made to the accompanying drawings in which:

FIG. 1 illustrates a cryptographic hashing module according to an embodiment of the present invention;

FIG. 2 shows details of a message scheduler for use in the cryptographic hashing module of FIG. 1;

FIG. 3 shows details of a section of the message scheduler of FIG. 2;

FIG. 4 illustrates cryptographic hashing of a Bitcoin Block Header according to an embodiment of the present invention;

FIG. 5 illustrates details of message compression modules for use in the cryptographic hashing module of FIG. 4;

FIG. 6 shows the operations of computation variants used to derive fully-calculated input values according to an embodiment of the present invention;

FIG. 7 illustrates a hardware implementation of a message scheduler for SHA256₀ according to an embodiment of the present invention;

FIG. 8 illustrates a hardware implementation of a message scheduler for SHA256₁ according to an embodiment of the present invention;

FIG. 9 illustrates a hardware implementation of a message scheduler for SHA256₁ according to another embodiment of the present invention; and

FIG. 10 illustrates a hardware implementation of a message scheduler for SHA256₂ according to an embodiment of the present invention.

DETAILED DESCRIPTION

FIG. 1 shows a cryptographic hashing module 102 comprising processing circuitry for performing cryptographic hashing. The cryptographic hashing module 102 may, for example, be implemented using one or more ASICs. In this embodiment, the cryptographic hashing module 102 performs SHA256 to compress a 512-bit input message 104 based on a 256-bit initialisation vector 106 in order to produce a 256-bit message digest or hash 108. The cryptographic hashing module 102 comprises a message scheduler 110 which divides the input message 104 into distinct portions and uses those distinct portions to derive a set of input values for t rounds of message compression performed by message compressor 112.

In SHA256, the message scheduler 110 divides the input message 104 into 16×32-bit words M[0]-M[15] and expands those 16×32-bit words to derive a set of 64×32-bit input values W[0]-W[63] for the message compressor 112 in accordance with the following:

$\mathrm{For}0\le t\le 15,$ $W\left[t\right]=M\left[t\right]$ $\mathrm{For}16\le t\le 63,$ $W\left[1\right]={\sigma }_1\left(W\left[t-2\right]\right)+W\left[t-7\right]+{\sigma }_0\left(W\left[t-15\right]\right)+W\left[t-16\right]$ $\text{where:}$ ${\sigma }_1\left(x\right)={\mathrm{ROTR}}_{17}\left(x\right)\oplus {\mathrm{ROTR}}_{19}\left(x\right)\oplus {\mathrm{SHR}}_{10}\left(x\right)$ ${\sigma }_0\left(x\right)={\mathrm{ROTR}}_7\left(x\right)\oplus {\mathrm{ROTR}}_{18}\left(x\right)\oplus {\mathrm{SHR}}_3\left(x\right)$

• • ROTR_i is a bitwise rotate right for i bits
  • SHR_i is a bitwise shift right for i bits; and
  • ⊕ is a bitwise exclusive OR

The 8 elements H_A-H_H of the initialisation vector 106 are stored as working variables A-H in electronic storage 114 as follows:

• • A=H_A; B=H_B; C=H_C; D=H_D; E=H_E; F=H_F; G=H_G; H=H_H

The message compressor 112 then performs 64 rounds of a SHA256 message compression function using the set of input values W[0]-W[63] provided by the message scheduler 110, together with the working variables A-H stored in electronic storage 114 and a set of 64×32-bit round-specific constants K[0]-K[63] in accordance with the following:

$T_1=H+{\sum }_1\left(E\right)+\mathrm{Ch}\left(E,F,G\right)+K\left[t\right]+W\left[t\right]$ $T_2={\sum }_0\left(A\right)+\mathrm{Maj}\left(A,B,C\right)$ $H=G;G=F;F=E$ $E=D+T_1=D+H+{\sum }_1\left(E\right)+\mathrm{Ch}\left(E,F,G\right)+K\left[t\right]+W\left[t\right]$ $D=C;C=B;B=A$ $A=T_1+T_2=H+{\sum }_1\left(E\right)+\mathrm{Ch}\left(E,F,G\right)+{\sum }_0\left(A\right)+\mathrm{Maj}\left(A,B,C\right)+K\left[t\right]+W\left[t\right]$ $\mathrm{where},$ $\mathrm{Ch}\left(E,F,G\right)=\left(E\wedge F\right)\oplus \left(\neg E\wedge G\right)$ $\mathrm{Maj}\left(A,B,C\right)=\left(A\wedge B\right)\oplus \left(A\wedge C\right)\oplus \left(B\wedge C\right)$ ${\sum }_0\left(A\right)={\mathrm{ROTR}}_2\left(A\right)\oplus {\mathrm{ROTR}}_{13}\left(A\right)\oplus {\mathrm{ROTR}}_{22}\left(A\right)$ ${\sum }_1\left(E\right)={\mathrm{ROTR}}_6\left(E\right)\oplus {\mathrm{ROTR}}_{11}\left(E\right)\oplus {\mathrm{ROTR}}_{25}\left(E\right)$

After the 64 rounds the following calculations are performed:

$H_A=A+H_A$ $H_B=B+H_B$ $H_C=C+H_C$ $H_D=D+H_D$ $H_E=E+H_E$ $H_F=F+H_F$ $H_G=G+H_G$ $H_H=H+H_H$

With the final message digest (big-endian) being given by:

$H=H_AH_BH_CH_DH_EH_FH_GH_H$

In SHA256, the standard initialisation vector IV is:

$H_A=0\times 6a09e667$ $H_B=0\times \mathrm{bb}67\mathrm{ae}85$ $H_C=0\times 3c6\mathrm{ef}372$ $H_D=0\times a54\mathrm{ff}53a$ $H_E=0\times 510e527f$ $H_F=0\times 9b05688c$ $H_G=0\times \mathrm{lf}83d9\mathrm{ab}$ $H_H=0\times 5\mathrm{be}0\mathrm{cdl}9$

and the round-specific constants K[0]-K[63] are:

K[0] = 0x428A2F98	K[1] = 0x71374491	K[2] = 0xB5COFBCF	K[3] = 0xE9B5DBA5
K[4] = 0x3956C25B	K[5] = 0x59F111F1	K[6] = 0x923F82A4	K[7] = 0xAB1C5ED5
K[8] = 0xD807AA98	K[9] = 0x12835B01	K[10] = 0x243185BE	K[11] = 0x550C7DC3
K[12] = 0x72BE5D74	K[13] = 0x80DEB1FE	K[14] = 0x9BDC06A7	K[15] = 0xC19BF174
K[16] = 0xE49B69C1	K[17] = 0xEFBE4786	K[18] = 0x0FC19DC6	K[19] = 0x240CA1CC
K[20] = 0x2DE92C6F	K[21] = 0x4A7484AA	K[22] = 0x5CB0A9DC	K[23] = 0x76F988DA
K[24] = 0x983E5152	K[25] = 0xA831C66D	K[26] = 0xB00327C8	K[27] = 0xBF597FC7
K[28] = 0xC6E00BF3	K[29] = 0xD5A79147	K[30] = 0x06CA6351	K[31] = 0x14292967
K[32] = 0x27B70A85	K[33] = 0x2E1B2138	K[34] = 0x4D2C6DFC	K[35] = 0x53380D13
K[36] = 0x650A7354	K[37] = 0x766A0ABB	K[38] = 0x81C2C92E	K[39] = 0x92722C85
K[40] = 0xA2BFE8A1	K[41] = 0xA81A664B	K[42] = 0xC24B8B70	K[43] = 0xC76C51A3
K[44] = 0xD192E819	K[45] = 0xD6990624	K[46] = 0xF40E3585	K[47] = 0x106AA070
K[48] = 0x19A4C116	K[49] = 0x1E376C08	K[50] = 0x2748774C	K[51] = 0x34B0BCB5
K[52] = 0x391C0CB3	K[53] = 0x4ED8AA4A	K[54] = 0x5B9CCA4F	K[55] = 0x682E6FF3
K[56] = 0x748F82EE	K[57] = 0x78A5636F	K[58] = 0x84C87814	K[59] = 0x8CC70208
K[60] = 0x90BEFFFA	K[61] = 0xA4506CEB	K[62] = 0xBEF9A3F7	K[63] = 0xC67178F2

FIG. 2 shows further details of the message scheduler 110. In this embodiment, the message scheduler 110 comprises a resource sharing (rolled) hardware architecture. The message scheduler 110 receives the input message 104 and calculates a set of input values W[0]-W[63] for the compression function as discussed above. In this embodiment, the message scheduler 110 also performs the step of adding the set of round-specific constants K[0]-K[63] respectively to the set of input values W[0]-W[63] to generate a set of constant-modified input values W′[0]-W′[63], although in other embodiments this addition could instead be performed by the message compressor 112.

FIG. 3 shows details of a section of the message scheduler 110. In this embodiment, the section of the message scheduler 110 comprises a multiplexor 302 for progressively selecting, in respect of an initial input message, the input value W[t] either to be i) M[t] for 0≤t≤15; or ii) σ₁(W[t−2])+W[t−7]+σ₀(W[t−15])+W[t−16] for 16≤t≤63. The selected input value W[t] is then progressively passed to circuitry 304 for addition with K[t] to produce the constant-modified input value W′[t], which as discussed below may in some cases be stored as a reusable value μ′[t]. To enable the calculation of W[t] for 16≤t≤63, the input values W[t] are also progressively moved through a set of 16×32-bit registers 306. Circuitry 308 is then used to perform the standard message scheduling calculation: σ₁(W[t−2])+W[t−7]+σ₀(W[t−15])+W[t−16]. In accordance with embodiments of the present invention, the circuitry 308 can also perform only selected ones of the operations in the message scheduling calculation to produce reusable values μ[t]. Those reusable values μ[t] can then be stored in electronic storage 310 for later use with subsequent input messages. Using a resource sharing (rolled) hardware architecture for the one-off computations in respect of an initial input message reduces the need for a large chip area and reduces power consumption. The section of the message scheduler 110 as shown in FIG. 3 can then be shut down to conserve energy when calculating input values for subsequent input messages.

FIG. 4 shows cryptographic hashing of a Bitcoin Block Header 402. The Bitcoin Block Header 402 contains: a 32-bit Version field 404 which provides block version information; a 256-bit HashPrevBlock field 406 which provides the message digest of the previous block accepted by the Bitcoin Network which is referenced by the current block; a 256-bit HashMerkleRoot field 408 which provides a message digest of the Merkle Root for the unconfirmed transactions that are selected by the Bitcoin miners to include in the new block; a 32-Bit Timestamp field 410 which provides the current timestamp in seconds since 1970 Jan. 1 00:00 UTC; a 32-bit Target field 412 which provides the current Target to be met for the message digest of the new block (i.e. indicative of a particular minimum number of leading zeros that the message digest must have); and a 32-bit Nonce field 414 which is used to add variation to the block header so as to compute different message digests. A 384-bit Padding+Length field 416 is appended to provide two 512-bit input messages 418 and 420 of suitable size for cryptographic hashing using SHA256. In some embodiments, the Padding+Length may be provided by non-volatile memory or hardwired values since the values in question are always constant.

In order to perform the cryptographic hashing, a first input message 418 is provided to a first cryptographic hashing module 424. The first cryptographic hashing module 424 then performs a first instance cryptographic hashing SHA256₀ of the first input message 418 using the standard initialisation vector IV 422. SHA256₀ produces a first message digest H₀ which is stored in electronic storage 426. The second input message 420 is provided to a second cryptographic hashing module 428. The second cryptographic hashing module 428 then performs a second instance cryptographic hashing SHA256₁ of the second input message 420 using the first message digest H₀ as the initialisation vector. SHA256₁ produces a second message digest H₁ 430. The second message digest H₁ is combined with a Padding+Length 432 to create a third input message 434 of suitable size for cryptographic hashing using SHA256. In some embodiments, the Padding+Length may again be provided by non-volatile memory or hardwired values since the values in question are always constant. The third input message 434 is provided to a third cryptographic hashing module 438. The third cryptographic hashing module 438 performs a third instance cryptographic hashing SHA256₂ of the third input message 434 using the standard initialisation vector IV 436. SHA256₂ produces a third, and final, message digest H₂ 440. If the third message digest H₂ meets the Target condition, then the Bitcoin Block Header used to create that message digest H₂ can be broadcast to the Bitcoin Network. On the other hand, if the third message digest H₂ does not meet the Target condition, then one or more different Bitcoin Block Headers will need to be considered. In this embodiment, the one or more different Bitcoin Block Headers are derived by incrementing the Version field 404 and/or by incrementing the Nonce field 414 so as to give plural different input messages (plural different first input messages 418, plural different second input messages 420, and/or plural different third input messages 434) to be hashed.

FIG. 5 shows a first message compressor 502 for performing the 64 rounds of compression in SHA256₀. The first message compressor 502 receives the set of constant-modified input values W₀′[t] from a message scheduler and the standard initialisation vector IV 422. Also shown is circuitry 504 for adding the outputs of the first message compressor 502 to the elements of the standard initialisation vector IV 422 to produce the first message digest H₀. Also shown is a second message compressor 506 for performing the 64 rounds of compression in SHA256₁. The second message compressor 506 receives the set of constant-modified input values W₁′[t] from a message scheduler and H₀ as an initialisation vector. Also shown is circuitry 508 for adding the outputs of the second message compressor 506 to the elements of H₀ to produce the second message digest H₁. Also shown is a third message compressor 510 for performing the 64 rounds of compression in SHA256₂. The third message compressor 510 receives the set of constant-modified input values W₂′[t] from a message scheduler (not shown), which are based on H₁, and the standard initialisation vector IV 436. Also shown is circuitry 512 for adding the outputs of the third message compressor 510 to the elements of the standard initialisation vector IV 436 to produce the third, and final, message digest H₂. In this embodiment, each of the message compressors comprises a resource sharing (rolled) hardware architecture. Using a resource sharing (rolled) hardware architecture for the message compressors again reduces the need for a large chip area; reducing power consumption.

FIG. 6 illustrates computation variants CV₁-CV₇ that can be used by a message scheduler when calculating fully-calculated input values using partially-calculated input values. Also shown for comparison is the standard computation variant CV₀ for fully calculating input values, i.e. for the full message scheduling calculation σ₁(W[t−2])+W[t−7]+σ₀(W[t−15])+W[t−16]. As is apparent from FIG. 6, the computation variants CV₁-CV₇ can provide the following savings each time they are used in place of the standard computation variant CV₀:

	Savings
Variant	Add	ROTR	SHR	⊕
CV1	3	2	1	2
CV2	2	2	1	2
CV3	2	2	1	2
CV4	1	2	1	2
CV5	0	2	1	2
CV6	1	2	1	2
CV7	1	0	0	0

SHA256₀ Implementation

Referring again to FIG. 4, the first input message 418, which is provided to the first cryptographic hashing module 424 to perform SHA256₀, comprises the 32-bit Version field 404; the 256-bit HashPrevBlock field 406; and the first 224 bits of the HashMerkleRoot field 408. As per “ASICBoost”, mentioned above, the Version may be incremented to create multiple instances of H₀. When this happens, M[00] (i.e. corresponding to the 32-bit Version field 404) is incremented, but the other M[t] (i.e. corresponding to the HashPrevBlock field 406 and HashMerkleRoot field 408) do not vary. With this in mind, embodiments of the present invention can make use of the following observations for plural different first input messages 418:

• • W[03] to W[15] will remain unchanged.
  • σ_0/1(W[03]) to σ_0/1(W[15]) will also remain unchanged in view of observation 1 above.

Based on the current Target, W[01] and W[02] will remain unchanged as 0x00000000. Additions of these values can be avoided.

σ₀(W[01]) and σ₀(W[02]) will also remain unchanged as 0x00000000 in view of observation 3 above. Additions of these values can be avoided.

Various reusable values μ[t] can be calculated once for an initial value of W[00], such as 0x20000000, using the space-saving rolled hardware of FIG. 3.

For other values of W[00], the reusable values μ[t] can be directly fed into the computation variants CV₁-CV₇ shown in FIG. 6 to obtain the same result as the standard computation variant CV₀ shown in FIG. 6.

Constant-modified reusable values μ′[t]=μ[t]+K[t] can also be computed once for an initial value of W[00], such as 0x20000000, and then reused for other values of W[00] in cases where μ[t]=W[t].

For other values of W[00], the constant-modified reusable values μ′[t] can be directly fed into the message compression function of SHA256₀.

The reusable values μ[t] and μ′[t] can be fed into the set of message schedule computation variants in a fully unrolled ASIC hardware implementation 700 to obtain a SHA256₀ fully unrolled message schedule as shown in FIG. 7.

Keeping the above observations in mind, the following reusable values μ[t] and μ′[t] can be stored for an initial input message and reused for subsequent input messages:

SHA2560 Message Scheduler Calculations
		Stored	Optimised		Stored	Optimised W′[t] =
	Initial	Value	W[t] for	Initial	Value	μ[t] + K[t] for
t	W[t]	μ[t]	other inputs	W′[t]	μ′[t]	other inputs	Comment
0	W[00]	—	W[00]	K[00] +	K[00] +	μ′[00]++	Incremented
				W[00]	W[00]
1			0x00000000	K[01] +	K[01] +	K[01]	W[01] Always
							0x00000000
2			0x00000000	K[02] +	K[02] +	K[02]	W[02] Always
							0x00000000
3	W[03]	—	W[03]	K[03] +	K[03] +	μ′[03]	Stored
				W[03]	W[03]
4	W[04]	—	W[04]	K[04] +	K[04] +	μ′[04]	Stored
				W[04]	W[04]
5	W[05]	—	W[05]	K[05] +	K[05] +	μ′[05]	Stored
				W[05]	W[05]
6	W[06]	—	W[06]	K[06] +	K[06] +	μ′[06]	Stored
				W[06]	W[06]
7	W[07]	—	W[07]	K[07] +	K[07] +	μ′[07]	Stored
				W[07]	W[07]
8	W[08]	—	W[08]	K[08] +	K[08] +	μ′[08]	Stored
				W[08]	W[08]
9	W[09]	—	W[09]	K[09] +	K[09] +	μ′[09]	Stored
				W[09]	W[09]
10	W[10]	—	W[10]	K[10] +	K[10] +	μ′[10]	Stored
				W[10]	W[10]
11	W[11]	—	W[11]	K[11] +	K[11] +	μ′[11]	Stored
				W[11]	W[11]
12	W[12]	—	W[12]	K[12] +	K[12] +	μ′[12]	Stored
				W[12]	W[12]
13	W[13]	—	W[13]	K[13] +	K[13] +	μ′[13]	Stored
				W[13]	W[13]
14	W[14]	—	W[14]	K[14] +	K[14] +	μ′[14]	Stored
				W[14]	W[14]
15	W[15]	—	W[15]	K[15] +	K[15] +	μ′[15]	Stored
				W[15]	W[15]
16	σ1(W[14]) +	σ1(W[14]) +	μ[16]++	K[16] +	K[16] +	μ′[16]++	Incremented
	W[09] +   +	W[09] +   +		σ1(W[14]) +	σ1(W[14]) +
	W[00]	W[00]		W[09] +	W[09] +
				+ W[00]	+ W[00]
17	σ1(W[15]) +	σ1(W[15]) +	μ[17]	K[17] +	K[17] +	μ′[17]	Stored
	W[10] +	W[10] +		σ1(W[15]) +	σ1(W[15]) +
	+	+		W[10] +	W[10] +
				+	+
18	σ1(W[16]) +	W[11] +	μ[18] +	K[18] +	—	K[18] +	Partially
	W[11] +	σ0(W[03]) +	σ1(W[16])	σ1(W[16]) +		μ[18] +	Stored
	σ0(W[03]) +			W[11] +		σ1(W[16])
				σ0(W[03]) +
19	σ1(W[17]) +	σ1(W[17]) +	μ[19]	K[19] +	K[19] +	μ′[19]	Stored
	W[12] +	W[12] +		σ1(W[17]) +	σ1(W[17]) +
	σ0(W[04]) +	σ0(W[04]) +		W[12] +	W[12] +
	W[03]	W[03]		σ0(W[04]) +	σ0(W[04]) +
				W[03]	W[03]
20	σ1(W[18]) +	W[13] +	μ[20] +	K[20] +	—	K[20] +	Partially
	W[13] +	σ0(W[05]) +	σ1(W[18])	σ1(W[18]) +		μ[20] +	Stored
	σ0(W[05]) +	W[04]		W[13] +		σ1(W[18])
	W[04]			σ0(W[05]) +
				W[04]
21	σ1(W[19]) +	σ1(W[19]) +	μ[21]	K[21] +	K[21] +	μ′[21]	Stored
	W[14] +	W[14] +		σ1(W[19]) +	σ1(W[19]) +
	σ0(W[06]) +	σ0(W[06]) +		W[14] +	W[14] +
	W[05]	W[05]		σ0(W[06]) +	σ0(W[06]) +
				W[05]	W[05]
22	σ1(W[20]) +	W[15] +	μ[22] +	K[22] +	—	K[22] +	Partially
	W[15] +	σ0(W[07]) +	σ1(W[20])	σ1(W[20]) +		μ[22] +	Stored
	σ0(W[07]) +	W[06]		W[15] +		σ1(W[20])
	W[06]			σ0(W[07]) +
				W[06]
23	σ1(W[21]) +	σ1(W[21]) +	μ[23]++	K[23] +	K[23] +	μ′[23]++	Incremented
	W[16] +	W[16] +		σ1(W[21]) +	σ1(W[21]) +
	σ0(W[08]) +	σ0(W[08]) +		W[16] +	W[16] +
	W[07]	W[07]		σ0(W[08]) +	σ0(W[08]) +
				W[07]	W[07]
24	σ1(W[22]) +	W[17] +	μ[24] +	K[24] +	—	K[24] +	Partially
	W[17] +	σ0(W[09]) +	σ1(W[22])	σ1(W[22]) +		μ[24] +	Stored
	σ0(W[09]) +	W[08]		W[17] +		σ1(W[22])
	W[08]			σ0(W[09]) +
				W[08]
25	σ1(W[23]) +	σ0(W[10]) +	μ[25] +	K[25] +	—	K[25] +	Partially
	W[18] +	W[09]	σ1(W[23]) +	σ1(W[23]) +		μ[25] +	Stored
	σ0(W[10]) +		W[18]	W[18] +		σ1(W[23]) +
	W[09]			σ0(W[10]) +		W[18]
				W[09]
26	σ1(W[24]) +	W[19] +	μ[26] +	K[26] +	—	K[26] +	Partially
	W[19] +	σ0(W[11]) +	σ1(W[24])	σ1(W[24]) +		μ[26] +	Stored
	σ0(W[11]) +	W[10]		W[19] +		σ1(W[24])
	W[10]			σ0(W[11]) +
				W[10]
27	σ1(W[25]) +	σ0(W[12]) +	μ[27] +	K[27] +	—	K[27] +	Partially
	W[20] +	W[11]	σ1(W[25]) +	σ1(W[25]) +		μ[27] +	Stored
	σ0(W[12]) +		W[20]	W[20] +		σ1(W[25]) +
	W[11]			σ0(W[12]) +		W[20]
				W[11]
28	σ1(W[26]) +	W[21] +	μ[28] +	K[28] +	—	K[28] +	Partially
	W[21] +	σ0(W[13]) +	σ1(W[26])	σ1(W[26]) +		μ[28] +	Stored
	σ0(W[13]) +	W[12]		W[21] +		σ1(W[26])
	W[12]			σ0(W[13]) +
				W[12]
29	σ1(W[27]) +	σ0(W[14]) +	μ[29] +	K[29] +	—	K[29] +	Partially
	W[22] +	W[13]	σ1(W[27]) +	σ1(W[27]) +		μ[29] +	Stored
	σ0(W[14]) +		W[22]	W[22] +		σ1(W[27]) +
	W[13]			σ0(W[14]) +		W[22]
				W[13]
30	σ1(W[28]) +	σ0(W[15]) +	μ[30]++ +	K[30] +	—	K[30] +	Partially
	W[23] +	W[14] + W[23]	σ1(W[28])	σ1(W[28]) +		μ[30]++ +	Stored and
	σ0(W[15]) +			W[23] +		σ1(W[28])	Incremented
	W[14]			σ0(W[15]) +
				W[14]
31	σ1(W[29]) +	—	No	K[31] +	—	No	No
	W[24] +		Optimisation	σ1(W[29]) +		Optimisation	Optimisation
	σ0(W[16]) +			W[24] +
	W[15]			σ0(W[16]) +
				W[15]
32	σ1(W[30]) +	σ0(W[17]) +	μ[32]++ +	K[32] +	—	K[32] +	Partially
	W[25] +	W[16]	σ1(W[30]) +	σ1(W[30]) +		μ[32]++ +	Stored and
	σ0(W[17]) +		W[25]	W[25] +		σ1(W[30]) +	Incremented
	W[16]			σ0(W[17]) +		W[25]
				W[16]
33	σ1(W[31]) +	—	No	K[33] +	—	No	No
	W[26] +		Optimisation	σ1(W[31]) +		Optimisation	Optimisation
	σ0(W[18]) +			W[26] +
	W[17]			σ0(W[18]) +
				W[17]
34	σ1(W[32]) +	σ0(W[19])	μ[34]+	K[34] +	—	K[34] + μ[34] +	Partially
	W[27] +		σ1(W[32]) +	σ1(W[32]) +		σ1(W[32]) +	Stored
	σ0(W[19]) +		W[27] + W[18]	W[27] +		W[27] + W[18]
	W[18]			σ0(W[19]) +
				W[18]
35	σ1(W[33]) +	—	No	K[35] +	—	No	No
	W[28] +		Optimisation	σ1(W[33]) +		Optimisation	Optimisation
	σ0(W[20]) +			W[28] +
	W[19]			σ0(W[20]) +
				W[19]
36	σ1(W[34]) +	σ0(W[21])	μ[36] +	K[36] +	—	K[36] + μ[36] +	Partially
	W[29] +		σ1(W[34]) +	σ1(W[34]) +		σ1(W[34]) +	Stored
	σ0(W[21]) +		W[29] + W[20]	W[29] +		W[29] + W[20]
	W[20]			σ0(W[21]) +
				W[20]
37	σ1(W[35]) +	—	No	K[37] +	—	No	No
	W[30] +		Optimisation	σ1(W[35]) +		Optimisation	Optimisation
	σ0(W[22]) +			W[30] +
	W[21]			σ0(W[22]) +
				W[21]
38	σ1(W[36]) +	—	No	K[38] +	—	No	No
	W[31] +		Optimisation	σ1(W[36]) +		Optimisation	Optimisation
	σ0(W[23]) +			W[31] +
	W[22]			σ0(W[23]) +
				W[22]
.
.
.
63	σ1(W[36]) +	—	No	K[63] +	—	No	No
	W[31] +		Optimisation	σ1(W[36]) +		Optimisation	Optimisation
	σ0(W[23]) +			W[31] +
	W[22]			σ0(W[23]) +
				W[22]

FIG. 7 shows a message scheduling hardware implementation 700 for SHA256₀ that makes use of the table above. As is shown, electronic storage 702 is provided to store and later provide the reusable values μ[t] and μ′[t], which are derived for an initial input message in accordance with the table above and then reused for one or more subsequent input messages. As is also shown, some of the reusable values μ′[t] can be used directly as W′[t] for each one of plural input messages having different Version values. Incrementing circuitry (one indicated as 704) is also provided for incrementing (++) the value of some of the incrementable reusable values μ[t] and μ′[t] for each subsequent input message in accordance with the table above. As is shown, in some cases the incremented reusable values μ[t] and μ′[t] can also be used as W[t] and W′[t] for that subsequent input message. Calculation modules (one indicated as 706) are also provided for performing the appropriate computation variants as shown in FIG. 6 for the subsequent input message in accordance with the table above. Further electronic storage 708 is also provided for storing and later providing the resultant fully calculated input values W[t] for the subsequent input message in accordance with the table above.

It is notable from the above that for t=18, 20, 22, 24-30, 32, 34 and 36, the reusable values μ[t] are partially-calculated versions of input values W[t] or W′[t] for the SHA256₀ cryptographic compression function which are calculated using invariable portions of the plural input messages to be hashed. Those reusable values μ[t] are then reused to calculate the fully-calculated input values W[t] or W′[t] for a subsequent input message using values based on one or more variable portions of the input messages to be hashed.

For example, for t=18, the reusable value μ[18]=W[11]+σ₀(W[03]) is a partially-calculated version of the fully-calculated input value W[18]=W[11]+σ₀(W[03])+W[02]+σ₁(W[16]) for the SHA256₀ cryptographic compression function which is calculated using only the invariable portions W[11], W[03] and W[02] of the input messages to be hashed. That reusable value μ[18] can then be reused to calculate (using CV₃) the fully-calculated input value W[18]=μ[18]+σ₁(W[16]) for a subsequent input message using a value σ₁(W[16]) which is based on the variable portion W[00] of the input messages to be hashed. Doing this for t=18 saves 2 add operations, 2 ROTR operations, 1 SHR operation and 2 ⊕ operations for each subsequent input message to be hashed.

As will be appreciated, the savings for all values of t will accumulate over time to give a significant reduction in the number of operations and thus processing time/resources required when performing SHA256₀. In particular, the following overall savings are possible for each subsequent input message:

	Add	ROTR	SHR	⊕
Savings for W[t] in SHA2560	33	46	23	46
Message Schedule
Total Operations for W[t] in	144	192	96	192
standard SHA256 Message
Schedule
SHA2560 Message Schedule	22.92%	23.96%	23.96%	23.96%
Reduction
Savings for W′[t] = W[t] +	21	—	—	—
K[t] Calculation
Total Operations in standard	64	—	—	—
W′[t] = W[t] + K[t] Calculation
W′[t] = W[t] + K[t] Calculation	32.81%	—	—	—
Reduction

SHA256₁ Implementation

Referring again to FIG. 4, the second input message 420, which is provided to the second cryptographic hashing module 428 to perform SHA256₁, comprises the last 32 bits of the HashMerkleRoot field 408; the Timestamp field 410; the 32-bit Target field 412; the 32-bit Nonce field 414; and the 384-bit Padding+Length field 416. As mentioned above, the Nonce may be incremented to create multiple instances of H₁. When this happens, M[03] (i.e. corresponding to the 32-bit Nonce field 414) is incremented, but the other M[t] (i.e. corresponding to the HashMerkleRoot field 408, the Timestamp field 410, the Target field 412, and the Padding+Length field 416) do not vary. With this in mind, embodiments of the present invention can make use of the following observations for plural different second input messages 420:

• • W[00] to W[02] and W[04] to W[15] will remain unchanged.
  • σ_0/1(W[00]) to σ_0/1(W[02]) will also remain unchanged in view of observation 1 above.
  • W[05] to W[14] will remain unchanged as 0x00000000. Additions of these values can be avoided.
  • σ₀(W[05]) to σ₀(W[14]) will also remain unchanged as 0x00000000 in view of observation 3 above. Additions of these values can be avoided.

The constant-modified reusable values μ′[04]=W[04]+K[04]=0xB956C25B and μ′[15]=W[15]+K[15]=0xC19BF3F4 will forever remain unchanged and independent of any Bitcoin Block Header. They can thus be added to the list of SHA256₁ round-specific constants stored in non-volatile memory and directly fed from the non-volatile memory into the message compression function of SHA256₁.

Various reusable values μ[t] can be calculated once for an initial value of W[03], such as 0x00000000, using the space-saving rolled hardware of FIG. 3.

For other values of W[03], the reusable values μ[t] can be directly fed into the computation variants CV₁-CV₇ shown in FIG. 6 to obtain the same result as the standard computation variant CV₀ shown in FIG. 6.

Constant-modified reusable values μ′[t]=μ[t]+K[t] can also be computed once for an initial value of W[03], such as 0x00000000, and then reused for other values of W[03] in cases where μ[t]=W[t].

For other values of W[03], the constant-modified reusable values p′[t] can be directly fed into the message compression function of SHA256₁.

The reusable values μ[t] and μ′[t] can be fed into the set of message schedule computation variants in a fully unrolled ASIC hardware implementation 800 to obtain a SHA256₁ fully unrolled message schedule as shown in FIG. 8.

The reusable values μ[t] and μ′[t] also allow the parallel computation of the message schedule. This is because the computation of W[t] no longer needs to be serialised since certain W[t] can be computed without the knowledge of the prior W[t]. An example parallel architecture 900 is shown in FIG. 9.

Keeping the above observations in mind, the following reusable values μ[t] and μ′[t] can be stored for an initial input message and reused for subsequent input messages:

SHA2561 Message Scheduler Calculations
		Stored	Optimised		Stored	Optimised W′[t] =
	Initial	Value	W[t] for	Initial	Value	μ[t] + K[t] for
t	W[t]	μ[t]	other inputs	W′[t]	μ′[t]	other inputs	Comment
00	W[00]	—	W[00]	K[00] +	K[00] +	μ′[00]	Stored
				W[00]	W[00]
01	W[01]	—	W[01]	K[01] +	K[01] +	μ′[01]	Stored
				W[01]	W[01]
02	W[02]	—	W[02]	K[02] +	K[02] +	μ′[02]	Stored
				W[02]	W[02]
03	W[03]	—	W[03]	K[03] +	K[03] +	μ′[03]++	Incremented
				W[03]	W[03]
04	W[04]	W[04]	0x80000000	K[04] +	K[04] +	μ′[04]	W[04] Always
				W[04]	W[04]		0x80000000
05			0x00000000	K[05] +	K[05] +	K[05]	W[05] Always
							0x00000000
06			0x00000000	K[06] +	K[06] +	K[06]	W[06] Always
							0x00000000
07			0x00000000	K[07] +	K[07] +	K[07]	W[07] Always
							0x00000000
08			0x00000000	K[08] +	K[08] +	K[08]	W[08] Always
							0x00000000
09			0x00000000	K[09] +	K[09] +	K[09]	W[09] Always
							0x00000000
10			0x00000000	K[10] +	K[10] +	K[10]	W[10] Always
							0x00000000
11			0x00000000	K[11] +	K[11] +	K[11]	W[11] Always
							0x00000000
12			0x00000000	K[12]+	K[12] +	K[12]	W[12] Always
							0x00000000
13			0x00000000	K[13] +	K[13] +	K[13]	W[13] Always
							0x00000000
14			0x00000000	K[14] +	K[14] +	K[14]	W[14] Always
							0x00000000
15	W[15]	W[15]	0x00000280	K[15] +	K[15] +	μ′[15]	W[15] Always
				W[15]	W[15]		0x00000280
16	+   +	+   +	μ[16]	K[16] +	K[16] +	μ′[16]	Stored
	σ0(W[01]) +	σ0(W[01]) +		σ0(W[01]) +	σ0(W[01]) +
	W[00]	W[00]		W[00]	W[00]
17	σ1(W[15]) +	σ1(W[15]) +	μ[17]	K[17] +	K[17] +	μ′[17]	Stored
	+	+		σ1(W[15]) +	σ1(W[15]) +
	σ0(W[02]) +	σ0(W[02]) +		+	+
	W[01]	W[01]		σ0(W[02]) +	σ0(W[02]) +
				W[01]	W[01]
18	σ1(W[16]) +	σ1(W[16]) +	μ[18] +	K[18] +	—	K[18] +	Partially Stored
	+	+ W[02]	σ0(W[03])	σ1(W[16]) +		μ[18]+
	σ0(W[03]) +			+		σ0(W[03])
	W[02]			σ0(W[03]) +
				W[02]
19	σ1(W[17]) +	σ1(W[17]) +	μ[19]++	K[19] +	K[19] +	μ′[19]++	Incremented
	+	+		σ1(W[17]) +	σ1(W[17]) +
	σ0(W[04]) +	σ0(W[04]) +		+	+
	W[03]	W[03]		σ0(W[04]) +	σ0(W[04]) +
				W[03]	W[03]
20	σ1(W[18]) +	+   +	W[04] +	K[20] +	—	K[20] +	W[05], W[13]
	+   +	W[04]	σ1(W[18])	σ1(W[18]) +		W[04] +	Always 0x00000000
	W[04]			+   +		σ1(W[18])
				W[04]
21	σ1(W[19]) +	+	σ1(W[19])	K[21] +	—	K[21] +	W[14], W[05],
	+   +	+		σ1(W[19]) +		σ1(W[19])	W[06] Always
				+   +			0x00000000
22	σ1(W[20]) +	W[15] +	σ1(W[20]) +	σ1(W[20]) +	—	K[22] +	W[06], W[07]
	W[15] +	+	W[15]	W[15] +   +		W[15] +	Always 0x00000000
	+					σ1(W[20])
23	σ1(W[21]) +	W[16] +	σ1(W[21]) +	K[23] +	—	K[23] +	Partially Stored
	W[16] +	+	μ[16]	σ1(W[21]) +		σ1(W[21]) +
	+			W[16] +   +		μ[16]
24	σ1(W[22]) +	W[17] +	σ1(W[22]) +	K[24] +	—	K[24] +	Partially Stored
	W[17] +	+	μ[17]	σ1(W[22]) +		σ1(W[22]) +
	+			W[17] +   +		μ[17]
25	σ1(W[23]) +	+	σ1(W[23]) +	K[25] +	—	K[25] +	W[9], W[10]
	W[18] +		W[18]	σ1(W[23]) +		σ1(W[23]) +	Always 0x00000000
	+			W[18] +   +		W[18]
26	σ1(W[24]) +	+	σ1(W[24]) +	K[26] +	—	K[26] +	W[10], W[11]
	W[19] +		W[19]	σ1(W[24]) +		σ1(W[24]) +	Always 0x00000000
	+			W[19] +   +		W[19]
27	σ1(W[25]) +	+	σ1(W[25]) +	K[27] +	—	K[27] +	W[11], W[12]
	W[20] +		W[20]	σ1(W[25]) +		σ1(W[25]) +	Always 0x00000000
	+			W[20] +   +		W[20]
28	σ1(W[26]) +	+	σ1(W[26]) +	K[28] +	—	K[28] +	W[12], W[13]
	W[21] +		W[21]	σ1(W[26]) +		σ1(W[26]) +	Always 0x00000000
	+			W[21] +   +		W[21]
29	σ1(W[27]) +	+	σ1(W[27]) +	K[29] +	—	K[29] +	W[13], W[14]
	W[22] +		W[22]	σ1(W[27]) +		σ1(W[27]) +	Always 0x00000000
	+			W[22] +   +		W[22]
30	σ1(W[28]) +	σ0(W[15]) +	σ1(W[28]) +	K[30] +	—	K[30] +	Partially Stored
	W[23] +		W[23] + μ[30]	σ1(W[28]) +		σ1(W[28]) +
	σ0(W[15]) +			W[23] +		W[23] + μ[30]
				σ0(W[15]) +
31	σ1(W[29]) +	σ0(W[16]) +	μ[31] +	K[31] +	—	K[31] +	Partially Stored
	W[24] +	W[15]	σ1(W[29]) +	σ1(W[29]) +		μ[31] +
	σ0(W[16]) +		W[24]	W[24] +		σ1(W[29]) +
	W[15]			σ0(W[16]) +		W[24]
				W[15]
32	σ1(W[30]) +	σ0(W[17]) +	μ[32] +	K[32] +	—	K[32] +	Partially Stored
	W[25] +	W[16]	σ1(W[30]) +	σ1(W[30]) +		μ[32] +
	σ0(W[17]) +		W[25]	W[25] +		σ1(W[30]) +
	W[16]			σ0(W[17]) +		W[25]
				W[16]
33	σ1(W[31]) +	—	No	K[33] +	—	No	No Optimisation
	W[26] +		Optimisation	σ1(W[31]) +		Optimisation
	σ0(W[18]) +			W[26] +
	W[17]			σ0(W[18]) +
				W[17]
34	σ1(W[32]) +	—	No	K[34] +	—	No	No Optimisation
	W[27] +		Optimisation	σ1(W[32]) +		Optimisation
	σ0(W[19]) +			W[27] +
	W[18]			σ0(W[19]) +
				W[18]
.
.
.
63	σ1(W[61]) +	—	No	K[63] +	—	No	No Optimisation
	W[56] +		Optimisation	σ1(W[61]) +		Optimisation
	σ0(W[48]) +			W[56] +
	W[47]			σ0(W[48]) +
				W[47]

FIG. 8 shows a message scheduling hardware implementation 800 for SHA256₁ that makes use of the above table. As is shown, electronic storage 802 is provided to store and later provide the reusable values μ[t] and μ′[t], which are derived for an initial input message in accordance with the table above and then reused for one or more subsequent input messages. As is also shown, some of the reusable values μ′[t] can be used directly as W′[t] for each one of plural input messages having different Nonce values. Incrementing circuitry (one indicated as 804) is also provided for incrementing (++) the value of some of the incrementable reusable values μ[t] and μ′[t] for each subsequent input message in accordance with the table above. As is shown, in some cases the incremented reusable values μ[t] and μ′[t] can then be used as W[t] and W′[t] for that subsequent input message. Calculation modules (one indicated as 806) are also provided for performing the appropriate computation variants as shown in FIG. 6 for the subsequent input message in accordance with the table above. Further electronic storage 808 is also provided for storing and later providing the resultant fully calculated input values W[t] for the subsequent input message in accordance with the table above.

FIG. 9 shows an alternative message scheduling hardware implementation 900 for SHA256₁ in which the fully calculated input values W[t] are calculated in parallel rather than in series. As is shown, electronic storage 902 is again provided to store and later provide the reusable values μ[t] and μ′[t], which are derived for an initial input message in accordance with the table above and then reused for one or more subsequent input messages. As is also shown, some of the reusable values μ′[t] can be used directly as W′[t] for each one of plural input messages having different Nonce values. Incrementing circuitry (one indicated as 904) is again also provided for incrementing (++) the value of some of the incrementable reusable values μ[t] and μ′[t] for each subsequent input message in accordance with the table above. As is shown, in some cases the incremented reusable values μ[t] and μ′[t] can then be used as W[t] and W′[t] for that subsequent input message.

In this embodiment, a first set of calculation modules (one module in the first set is indicated as 906a) and a second set of calculation modules (one module in the second set is indicated as 906b) are also provided for performing the appropriate computation variants as shown in FIG. 6 for the subsequent input message in accordance with the table above. As will be appreciated, the calculation modules of the first set can operate in parallel with the calculation modules of the second set since the values needed by the modules of one set will already have been calculated by the other set, and vice versa, and so there is no need to run those modules entirely in series. Further electronic storage 908 is also provided for storing and later providing the resultant fully calculated input values W[t] for the subsequent input message in accordance with the table above.

It is notable from the above that for t=18, 20 and 22-32 the reusable values μ[t] are partially-calculated versions of input values W[t] or W′[t] for the SHA256₁ cryptographic compression function which are calculated using invariable portions of the input messages to be hashed. Those reusable values μ[t] are then reused to calculate the fully-calculated input values W[t] or W′[t] for a subsequent input message using values based on one or more variable portions of the input messages to be hashed.

For example, for t=18, the reusable value μ[18]=σ₁(W[16])+W[02] is a partially-calculated version of the fully-calculated input value W[18]=W[11]+σ₀(W[03])+W[02]+σ₁(W[16]) for the SHA256₁ cryptographic compression function which is calculated using only the invariable portions W[16], W[11] and W[02] of the input messages to be hashed. That reusable value μ[18] can then be reused to calculate (using CV₂) the fully-calculated input value W[18]=μ[18]+σ₀(W[03]) for a subsequent input message using a value σ₀(W[03]) which is based on the variable portion W[03] of the input messages to be hashed. Doing this for t=18 saves 2 add operations, 2 ROTR operations, 1 SHR operation and 2 ⊕ operations for each subsequent input message to be hashed.

As will be appreciated, the savings for all values of t will again accumulate over time to give a significant reduction in the number of operations and thus processing time/resources required when performing SHA256₁. In particular, the following overall savings are possible for each subsequent input message:

	Add	ROTR	SHR	⊕
Savings for W[t] in SHA2561	35	40	20	40
Message Schedule
Total Operations for W[t] in	144	192	96	192
standard SHA256 Message
Schedule
SHA2561 Message Schedule	24.31%	20.83%	20.83%	20.83%
Reduction
Savings for W′[t] = W[t] +	19	—	—	—
K[t] Calculation
Total Operations in standard	64	—	—	—
W′[t] = W[t] + K[t] Calculation
W′[t] = W[t] + K[t] Calculation	29.68%	—	—	—
Reduction

SHA256₂ Implementation

Referring again to FIG. 4, the third input message 434, which is provided to a third cryptographic hashing module 438 to perform SHA256₂, comprises the 256-bit second message digest H₁ field 430 and the 256-bit Padding+Length field 432. M[00]-M[07] (i.e. corresponding to the second message digest H₁ field 430) will vary, but M[08]-M[15] (i.e. corresponding to the 384-bit Padding+Length field 432) do not vary. With this in mind, embodiments of the present invention can make use of the following observations for plural different third input messages 434:

• • W[08] to W[15] will remain unchanged as 0x00000000. Additions of these values can be avoided.
  • σ_0/1(W[08]) to σ_0/1(W[15]) will also remain unchanged as 0x00000000 in view of observation 1 above. Additions of these values can be avoided.

The reusable values μ[17]=0x00A00000, μ[23]=0x11002000, and μ[30]=0x00400022 will forever remain unchanged and independent of any Bitcoin Block Header. They can thus be added to the list of SHA256₂ round-specific constants stored in non-volatile memory and directly fed from the non-volatile memory into the message compression function of SHA256₂.

The constant-modified reusable values p′[08]=W[08]+K[08]=0x5807AA98 and μ′[15]=W[15]+K[15]=0xC19BF274 will forever remain unchanged and independent of any Bitcoin Block Header. They can thus be added to the list of SHA256₂ round-specific constants stored in non-volatile memory and directly fed from the non-volatile memory into the message compression function of SHA256₂.

Various reusable values μ[t] can be calculated once using the space-saving rolled hardware of FIG. 3.

For other input messages (i.e. other values of H₁), the reusable values μ[t] can be directly fed into the computation variants CV₁-CV₇ shown in FIG. 6 to obtain the same result as the standard computation variant CV₀ shown in FIG. 6.

The reusable values μ[t] and μ′[t] can be fed into the set of message schedule computation variants in a fully unrolled ASIC hardware implementation 1000 to obtain a SHA256₂ fully unrolled message schedule as shown in FIG. 10.

W[61] to W[63] need not be implemented in a fully unrolled ASIC implementation. This is because these computations do not fall in the critical path since one can assert a winning Nonce by observing the value of the working variable E at round 61 [t=60].

Keeping the above observations in mind, the following reusable values μ[t] and μ′[t] can be stored for an initial input message and reused for subsequent input messages:

SHA2562 Message Scheduler Calculations
		Stored	Optimised		Stored	Optimised W′[t] =
	Initial	Value	W[t] for	Initial	Value	μ[t] + K[t] for
t	W[t]	μ[t]	other inputs	W′[t]	μ′[t]	other inputs	Comment
00	W[00]	—	No	K[00] +	—	No	No
			Optimisation	W[00]		Optimisation	Optimisation
01	W[01]	—	No	K[01] +	—	No	No
			Optimisation	W[01]		Optimisation	Optimisation
02	W[02]	—	No	K[02] +	—	No	No
			Optimisation	W[02]		Optimisation	Optimisation
.
.
.
07	W[07]	—	No	K[07] +	—	No	No
			Optimisation	W[07]		Optimisation	Optimisation
08	W[08]	W[08]	0x80000000	K[08] +	K[08] +	μ′[08]	W[08] Always
				W[08]	W[08]		0x80000000
09			0x00000000	K[09] +	K[09] +	K[09]	W[09] Always
							0x00000000
10			0x00000000	K[10] +	K[10] +	K[10]	W[10] Always
							0x00000000
11			0x00000000	K[11] +	K[11] +	K[11]	W[11] Always
							0x00000000
12			0x00000000	K[12] +	K[12] +	K[12]	W[12] Always
							0x00000000
13			0x00000000	K[13] +	K[13] +	K[13]	W[13] Always
							0x00000000
14			0x00000000	K[14] +	K[14] +	K[14]	W[14] Always
							0x00000000
15	W[15]	W[15]	0x00000100	K[15] +	K[15] +	μ′[15]	W[15] Always
				W[15]	W[15]		0x00000100
16	+   +	+	σ0(W[01]) +	K[16] +	—	K[16] +	W[09], W[14]
	σ0(W[01]) +		W[00]	+   +		σ0(W[01]) +	Always
	W[00]			σ0(W[01]) +		W[00]	0x00000000
				W[00]
17	σ1(W[15]) +	σ1(W[15]) +	μ[17] +	K[17] +	—	K[17] +	W[10] Always
	+		σ0(W[02]) +	σ1(W[15]) +		μ[17] +	0x00000000
	σ0(W[02]) +		W[01]	+		σ0(W[02]) +
	W[01]			σ0(W[02]) +		W[01]
				W[01]
18	σ1(W[16]) +		σ1(W[16]) +	K[18] +	—	K[18] +	W[11] Always
	+		σ0(W[03]) +	σ1(W[16]) +		σ1(W[16]) +	0x00000000
	σ0(W[03]) +		W[02]	+		σ0(W[03]) +
	W[02]			σ0(W[03]) +		W[02]
				W[02]
19	σ1(W[17]) +		σ1(W[17]) +	K[19] +	—	K[19] +	W[12] Always
	+		σ0(W[04]) +	σ1(W[17]) +		σ1(W[17]) +	0x00000000
	σ0(W[04]) +		W[03]	+		σ0(W[04]) +
	W[03]			σ0(W[04]) +		W[03]
				W[03]
20	σ1(W[18]) +		σ1(W[18]) +	K[20] +	—	K[20] +	W[13] Always
	+		σ0(W[05]) +	σ1(W[18]) +		σ1(W[18]) +	0x00000000
	σ0(W[05]) +		W[04]	+		σ0(W[05]) +
	W[04]			σ0(W[05]) +		W[04]
				W[04]
21	σ1(W[19]) +		σ1(W[19]) +	K[21] +	—	K[21] +	W[14] Always
	+		σ0(W[06]) +	σ1(W[19]) +		σ1(W[19]) +	0x00000000
	σ0(W[06]) +		W[05]	+		σ0(W[06]) +
	W[05]			σ0(W[06]) +		W[05]
				W[05]
22	σ1(W[20]) +	—	No	K[22] +	—	No	No
	W[15] +		Optimisation	σ1(W[20]) +		Optimisation	Optimisation
	σ0(W[07]) +			W[15] +
	W[06]			σ0(W[07]) +
				W[06]
23	σ1(W[21]) +	σ0(W[08])	μ[23] +	K[23] +	—	K[23] +	Partially
	W[16] +		σ1(W[21]) +	σ1(W[21]) +		μ[23] +	Stored
	σ0(W[08]) +		W[16] +	W[16] +		σ1(W[21]) +
	W[07]		W[07]	σ0(W[08]) +		W[16] +
				W[07]		W[07]
24	σ1(W[22]) +	+ W[08]	W[08] +	K[24] +	—	K[24] +	W[09] Always
	W[17] +   +		σ1(W[22]) +	σ1(W[22]) +		σ1(W[22]) +	0x00000000
	W[08]		W[17]	W[17] +   +		W[17] +
				W[08]		W[08]
25	σ1(W[23]) +	+	σ1(W[23]) +	K[25] +	—	K[25] +	W[09], W[10]
	W[18] +		W[18]	σ1(W[23]) +		σ1(W[23]) +	Always
	+			W[18] +   +		W[18]	0x00000000
26	σ1(W[24]) +	+	σ1(W[24]) +	K[26] +	—	K[26] +	W[10], W[11]
	W[19] +   +		W[19]	σ1(W[24]) +		σ1(W[24]) +	Always
				W[19] +   +		W[19]	0x00000000
27	σ1(W[25]) +	+	σ1(W[25]) +	K[27] +	—	K[27] +	W[11], W[12]
	W[20] +   +		W[20]	σ1(W[25]) +		σ1(W[25]) +	Always
				W[20] +   +		W[20]	0x00000000
28	σ1(W[26]) +	+	σ1(W[26]) +	K[28] +	—	K[28] +	W[12], W[13]
	W[21] +   +		W[21]	σ1(W[26]) +		σ1(W[26]) +	Always
				W[21] +   +		W[21]	0x00000000
29	σ1(W[27]) +	+	σ1(W[27]) +	K[29] +	—	K[29] +	W[13], W[14]
	W[22] +   +		W[22]	σ1(W[27]) +		σ1(W[27]) +	Always
				W[22] +   +		W[22]	0x00000000
30	σ(W[28]) +	σ0(W[15]) +	μ[30] +	K[30] +	—	K[30] +	Partially Stored
	W[23] +		σ1(W[28]) +	σ1(W[28]) +		μ[30] +
	σ0(W[15]) +		W[23]	W[23] +		σ1(W[28]) +
				σ0(W[15]) +		W[23]
31	σ1(W[29]) +	—	No	K[31] +	—	No	No
	W[24] +		Optimisation	σ1(W[29]) +		Optimisation	Optimisation
	σ0(W[16]) +			W[24] +
	W[15]			σ0(W[16]) +
				W[15]
.
.
.
60	σ1(W[58]) +	K[60]	No	K[60] +	—	No	No
	W[53] +		Optimisation	σ1(W[58]) +		Optimisation	Optimisation
	σ0(W[45]) +			W[53] +
	W[44]			σ0(W[45]) +
				W[44]
61	σ1(W[59]) +	K[61]	No	K[61] +	—	No	No
	W[54] +		calculations	σ1(W[59]) +		calculations	calculations
	σ0(W[46]) +		for almost	W[54] +		for almost	for almost
	W[45]		all Nonces	σ0(W[46]) +		all Nonces	all Nonces
				W[45]
62	σ1(W[60]) +	K[62]	No	K[62] +	—	No	No
	W[55] +		calculations	σ1(W[60]) +		calculations	calculations
	σ0(W[47]) +		for almost	W[55] +		for almost	for almost
	W[46]		all Nonces	σ0(W[47]) +		all Nonces	all Nonces
				W[46]
63	σ1(W[61]) +	K[63]	No	K[63] +	—	No	No
	W[56] +		calculations	σ1(W[61]) +		calculations	calculations
	σ0(W[48]) +		for almost	W[56] +		for almost	for almost
	W[47]		all Nonces	σ0(W[48]) +		all Nonces	all Nonces
				W[47]

FIG. 10 shows a message scheduling hardware implementation 1000 for SHA256₂ that makes use of the above table. As is shown, electronic storage 1002 is provided to store and later provide the reusable values μ[t] and μ′[t], which are derived for an initial input message in accordance with the table above and then reused for one or more subsequent input messages. As is also shown, some of the reusable values μ′[t] can be used directly as W′[t] for each one of plural input messages. Calculation modules (one indicated as 1006) are also provided for performing the appropriate computation variants as shown in FIG. 6 for the subsequent input message in accordance with the table above. Further electronic storage 1008 is also provided for storing and later providing the resultant fully calculated input values W[t] for the subsequent input message in accordance with the table above.

It is notable from the above that for t=17, 23 and 30 the reusable values μ[t] are partially-calculated versions of input values W[t] or W′[t] for the SHA256₂ cryptographic compression function which are calculated using invariable portions of the input messages to be hashed. Those reusable values μ[t] are then reused to calculate the fully-calculated input values W[t] or W′[t] for a subsequent input message using values based on one or more variable portions of the input messages to be hashed.

For example, for t=17, the reusable value μ[17]=σ₁(W[15]) is a partially-calculated version of the fully-calculated input value W[17]=W[10]+σ₀(W[02])+W[01]+σ₁(W[15]) for the SHA256₂ cryptographic compression function which is calculated using only the invariable portion W[15] of the input messages to be hashed. That reusable value μ[17] can then be reused to calculate (using CV₆) the fully-calculated input value W[17]=μ[17]+σ0(W[02])+W[01] for a subsequent input message using values σ0(W[02]) and W[01] which are based on the variable portions W[02] and W[01] of the input messages to be hashed. Doing this for t=17 saves 1 add operation, 2 ROTR operations, 1 SHR operation and 2 ⊕ operations for each subsequent input message to be hashed.

As will be appreciated, the savings for all values of t will again accumulate over time to give a significant reduction in the number of operations and thus processing time/resources required when performing SHA256₂. In particular, the following overall savings are possible for each subsequent input message:

	Add	ROTR	SHR	⊕
Savings for W[t] in SHA2562	31	32	16	32
Message Schedule
Total Operations for W[t] in	144	192	96	192
standard SHA256 Message
Schedule
SHA2562 Message Schedule	21.53%	16.67%	16.67%	16.67%
Reduction
Savings for W′[t] = W[t] +	8	—	—	—
K[t] Calculation
Total Operations in standard	64	—	—	—
W′[t] = W[t] + K[t] Calculation
W′[t] = W[t] + K[t] Calculation	12.50%	—	—	—
Reduction

It will accordingly be appreciated from the above that embodiments of the present invention can greatly increase speed and efficiency when performing cryptographic hashing in respect of plural different input messages which have invariable portions and variable portions.

Claims

1. A method of performing cryptographic hashing in respect of plural different input messages to be hashed, the method comprising: causing a message scheduler to: calculate a set of one or more partially-calculated input values for a cryptographic compression function using one or more values based on one or more invariable portions of an initial input message to be hashed, wherein corresponding ones of the invariable portions do not vary across the plural different input messages to be hashed; andfor each of one or more subsequent input messages to be hashed: calculate a set of fully-calculated input values for the cryptographic compression function, wherein calculating the set of fully-calculated input values comprises performing calculations using one or more of the partially-calculated input values and one or more values based on one or more variable portions of the subsequent input message to be hashed, wherein corresponding ones of the variable portions do vary across the plural different input messages to be hashed; andprovide the set of fully-calculated input values for use when performing the cryptographic compression function in respect of the subsequent input message.

2. The method as claimed in claim 1, wherein the cryptographic hashing is performed when mining for Bitcoin.

3. The method as claimed in claim 1 or 2, wherein the plural different input messages to be hashed each correspond to a different Bitcoin Block Header.

4. A The method as claimed in claim 1, wherein the plural different input messages to be hashed each comprise a Version field, a HashPrevBlock field, and part of a HashMerkleRoot field.

5. The method as claimed in claim 4, wherein the one or more invariable portions correspond to at least one of the HashPrevBlock field, and/or to the part of the HashMerkleRoot field.

6. The method as claimed in claim 4, wherein the one or more variable portions correspond to the Version field.

7. The method as claimed in claim 4, wherein the Version field is incremented across the plural different input messages.

8. The method as claimed in claim 1, wherein the plural different input messages to be hashed each comprise part of a HashMerkleRoot field, a Timestamp field, a Target field, a Nonce field, and a Padding+Length field.

9. The method as claimed in claim 8, wherein the one or more invariable portions correspond to at least one of the part of the HashMerkleRoot field; the Timestamp field; the Target field; and/or the Padding+Length field.

10. The method as claimed in claim 8, wherein the one or more variable portions correspond to the Nonce field.

11. The method as claimed in claim 8, wherein the Nonce field is incremented across the plural different input messages.

12. The method as claimed in claim 1, wherein the plural different input messages to be hashed each comprise a Message Digest field and a Padding+Length field.

13. The method as claimed in claim 12, wherein the one or more invariable portions correspond to the Padding+Length field.

14. The method as claimed in claim 12, wherein the one or more variable portions correspond to the Message Digest field.

15. A The method as claimed in claim 1, wherein calculation of a partially-calculated input value of the set of one or more partially-calculated input values comprises performing some, but not all, of the operations in a message scheduling calculation.

16. The method as claimed in claim 1, wherein calculation of a partially-calculated input value of the set of one or more partially-calculated input values comprises performing one or more of: an add operation; a bitwise rotate right (ROTR) operation; a bitwise shift right (SHR) operation; and a bitwise exclusive OR (@) operation.

17. The method as claimed in claim 1, wherein calculation of a fully-calculated input value of the set of fully-calculated input values comprises performing some, but not all, of the operations in a message scheduling calculation.

18. The method as claimed in claim 1, wherein calculation of a fully-calculated input value of the set of fully-calculated input values comprises performing one or more of: an add operation; a bitwise rotate right (ROTR) operation; a bitwise shift right (SHR) operation; and a bitwise exclusive OR (⊕) operation.

19. The method as claimed in claim 1, wherein calculating the set of one or more fully-calculated input values for a subsequent input message comprises calculating a first set of fully-calculated input values for the subsequent input message and calculating a second set of fully-calculated input values for the subsequent input message, wherein calculation of the first set of fully-calculated input values is performed in parallel with calculation of the second set of fully-calculated input values.

20. An apparatus for performing cryptographic hashing in respect of plural different input messages to be hashed, the apparatus comprising: a message scheduler having processing circuitry configured to: calculate a set of one or more partially-calculated input values for a cryptographic compression function using one or more values based on one or more invariable portions of an initial input message to be hashed, wherein corresponding ones of the invariable portions do not vary across the plural different input messages to be hashed; andfor each of one or more subsequent input messages to be hashed: calculate a set of fully-calculated input values for the cryptographic compression function, wherein calculating the set of fully-calculated input values comprises performing calculations using one or more of the partially-calculated input values and one or more values based on one or more variable portions of the subsequent input message to be hashed, wherein corresponding ones of the variable portions do vary across the plural different input messages to be hashed; andprovide the set of fully-calculated input values for use when performing the cryptographic compression function in respect of the subsequent input message.