Score:0

# What is the correct value of SHA-512 message-length field if the message length is 3967 bits

In the steps of “Append the padding bits” in SHA-512 system, the message is padded so that its length is congruent to 896 mod 1024. I'm new to cryptography and I can't figure out the difference between message-length field and message length. I'm not sure what is the correct value of SHA-512 message-length field..?

And "The message-length field is used to indicate the actual length of the message, usually in binary form." Right?

Hint: Read [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf#page=18), esp. §5.1.2.
Score:0

(In SHA-512,) what's the difference between message-length field and message length?

The message-length field is a 128-bit bitstring, when the message length is a (non-negative) integer $$\ell$$ in range $$[0\ldots2^{128})$$.

The integer $$\ell$$ is the size of the message in bits, thus 3967 for a 3967-bit message. That would be 31736 for a 3967-byte (that is octet in the context) message. An integer has no intrinsic representation or base.

The message-length field is 128 bits, which value is derived from the integer $$\ell$$ using big-endian unsigned binary convention. It's first $$128-\lceil\log_2(\ell+1)\rceil$$ bits first are $$0$$, which follows from said convention.

The message-length field is used to indicate the actual length of the message, usually in binary form.

I have reservation against this statement: "indicate" would suggest that something or someone would use the length field to find the length $$\ell$$ of the message, but that's not the case. $$\ell$$ is encoded in the message length field, but nothing decodes it for the purpose of determining the length of the message. That's not to say the message length field is useless: it's a security feature† towards preventing collisions between messages of different length.

Also "usually" would indicate there are exceptions to the use of binary. That's not the case in SHA-512 or any hash I know. The only variations I can think of (in other hashes) are on endianness, or perhaps counting the length in bytes rather than bits.

† There's another feature with a similar goal in SHA-512: the first of "the padding bits" mentioned in the question, which is set to $$1$$. Since there is also the length field, from a security standpoint, we could do without that $$1$$ bit. Security would not be harmed, code woudl be simplified, and that would make computation of messages of exactly 120 bytes nearly twice as fast. But that's not how SHA-512 happens to have been specified.

I sit in a Tesla and translated this thread with Ai: