Sebery J.Cryptography.An introduction to computer security.1989
.pdf
262 6 HASHING
jmj; s; t) = (B + ((A + G(B; C; D) + mj + t) s); B; C; D) ;
HH(A; B; C; d j mj; s; t) = (B + ((A + H(B; C; D) + mj + t) s); B; C; D) ; KK(A; B; C; D j mj; s; t) = (B + ((A + K(B; C; D) + mj + t) s); B; C; D) ;
where (A; B; C; D) 2 128 is an input while (mj; s; t) are current parameters that determine the form of the permutation and + stands for addition modulo 232. The rst parameter is the current message block mj; j = 0; : : : ; 15. The second parameter s speci es the number of positions in the rotation. The third parameter t is a constant. (A s) means that the binary string A is rotated to the left by s positions. The hashing proceeds through the four rounds:
Round 1:
(1) |
F F (A; B; C; D j m0; 7;0xd76aa478); |
|
|
(2) |
F F (D; A; B; C j m1; 12; 0xe8c7b756); |
|
|
(3) |
F F (C; D; A; B j m2; 17; 0x242070db); |
|
|
(4) |
F F (B; C; D; A j m3; 22; 0xc1bdceee); |
|
|
(5) |
F F (A; B; C; D j m4; 7;0xf 57c0faf ); |
|
|
(6) |
F F (D; A; B; C j m5; 12; 0x4787c62a); |
|
|
(7) |
F F (C; D; A; B j m6; 17; 0xa8304613); |
|
|
(8) |
F F (B; C; D; A j m7; 22; 0xfd469501); |
(6.8) |
|
(9) |
F F (A; B; C; D j m8; 7;0x698098d8); |
|
|
(10) |
F F (D; A; B; C j m9; 12; 0x8b44f7af); |
|
|
(11) |
F F (C; D; A; B j m10; 17; 0xffff5bb1); |
|
|
(12) |
F F (B; C; D; A j m11; 22; 0x895cd7be); |
|
|
(13) |
F F (A; B; C; D j m12; 7; 0x6b901122); |
|
|
(14) |
F F (D; A; B; C j m13;12; 0xfd987193); |
|
|
(15) |
F F (C; D; A; B j m14; 17; 0xa679438e); |
|
|
(16) |
F F (B; C; D; A j m15; 22; 0x49b40821): |
|
|
Round 2:
264 6 HASHING |
|
|
(49) |
KK(A; B; C; D j m0; 6; 0xf4292244); |
|
(50) |
KK(D; A; B; C j m7; 10; 0x432aff97); |
|
(51) |
KK(C; D; A; B j m14; 15; 0xab9423a7); |
|
(52) |
KK(B; C; D; A j m5; 21;0xfc93a039); |
|
(53) |
KK(A; B; C; D j m12; 6; 0x655b59c3); |
|
(54) |
KK(D; A; B; C j m3; 10; 0x8f 0ccc92); |
|
(55) |
KK(C; D; A; B j m10; 15; 0xffeff 47d); |
|
(56) |
KK(B; C; D; A j m1; 21;0x85845dd1); |
(6.11) |
(57) |
KK(A; B; C; D j m8; 6; 0x6fa87e4f); |
|
(58) |
KK(D; A; B; C j m15;10; 0xfe2ce6e0); |
|
(59) |
KK(C; D; A; B j m6; 15;0xa3014314); |
|
(60) |
KK(B; C; D; A j m13; 21; 0x4e0811a1); |
|
(61) |
KK(A; B; C; D j m4; 6; 0xf7537e82); |
|
(62) |
KK(D; A; B; C j m11;10; 0xbd3af235); |
|
(63) |
KK(C; D; A; B j m2; 15;0x2ad7d2bb); |
|
(64) |
KK(B; C; D; A j m9; 21;0xeb86d391): |
|
MD5 was meant to be fast on machines with a little-endian architecture. By the way, for a 32-bit word (a0; : : : ; a31), a machine with little-endian architecture
converts the string into integer a31231+: : :+a1 2+a0. In big-endian architecture, the same integer is a0231 + : : : + a30 2 + a31.
As MD4 is a weaker version of MD5, it was apparent that the main e ort will be concentrated around analysis of MD4. den Boer and Bosselaers [135] successfully analyzed two last rounds of MD4. Merkle successfully attacked therst two rounds of MD4. In 1996 Dobbertin [156] broke the whole MD4. He also extended his attack on MD5 [157] and showed that MD5 is not collision resistant.
6.6.2 SHA-1
SHA-1 is closely related to MD5 and shares with MD5 many common features. It is a standard recommended by the US National Institute for Standard and Technology (NIST). SHA-1 hashes arbitrarily long messages using the serial method. The message block of 512-bits is compressed into 160-bit digest using a 160-bit chaining input.
SHA-1 main features includes the following:
6.6 MD (Message Digest) Family |
265 |
{Padding is identical to that in MD5 except the length of the original message ` = (`1232 + `0) is appended as 64-bit sequence in the order (`1; `0) (compare
with the Figure 6.8).
{The chaining input is initialized as in MD5 with the additional input E = 0xc3d2e1f0.
{The collection of round functions includes
f (x; y; z) = xy _ xz;
g(x; y; z) = xy _ xz _ yz; h(x; y; z) = x y z:
Denote F; G; and H as the word equivalents of functions f; g; and h, respectively. The function F is used in the rst round (iterations from 0 to 19). The function H is used in the round 2 and 4 (iterations from 20 to 39 and from 60 to 79). The function G is used in the round 3 (iterations 40 to 59).
{The message bu er (X0; : : : ; X79) of 80 words (80 32 bits) is initialized by storing the 512-bit message into rst 16 entries and the remainder words are computed according to
Xj = Xj 3 Xj 8 Xj 14 Xj 16;
for j = 16; : : : ; 79. Note that the word Xj is used in the ith iteration, j = 0; : : : ; 79.
{The jth iteration is based on a Feistel permutation controlled by the message word Xj and the constant t where
80x5a827999 Round 1,
>0x6ed9eba1 Round 2, t = <0x8f 1bbcdc Round 3, >:0xca62c1d6 Round 4.
The Feistel permutation F : 160 ! 160 takes the 5-word input and outputs the 5-word output or
(A; B; C; D; E) := F (A; B; C; D; E);
where indicates the currently employed round function (either F; G, or H). The form of the iteration is as follows (Figure 6.11)
F (A; B; C; D; E) = ( (B; C; D) + Xj + t + E + (A 5); A; (B 30); C; D) ;
266 6 HASHING
A B C D E
X j
α |
t |
<< 5 |
|
<< 30
Fig. 6.11. An iteration in SHA-1
where (A s) stands for rotation s bits to the left and + is addition modulo 232.
Hashing of a single message block runs through 4 rounds each containing 20 iterations as shown in Figure 6.12. More precisely, the round 1 (iterations j = 0; : : : ; 19) applies the function F so
(A; B; C; D; E) := FF (A; B; C; D; E):
The rounds 2 and 4 (iterations j = 20; : : : ; 39;60; : : : ; 79) use the function H. Thus
(A; B; C; D; E) := FH (A; B; C; D; E):
The round 3 (iterations j = 40; : : : ; 59) employ the function G, or (A; B; C; D; E) := FG(A; B; C; D; E):
SHA-1 is believed to be more secure than MD5. Note that the digest space is larger than this o ered by MD5 (note additional word E in the chaining variable).
6.6.3 RIPEMD-160
RIPEMD is an outcome of the European RACE Integrity Primitives evaluation (RIPE) project. RIPEMD-160 is a strengthened version of the RIPEMD algorithm [158]. It applies 5 rounds (instead of 3 in RIPEMD) and the size of digest (and the chaining variable) is 160 bits (instead of 128 bits). Unlike
268 6 HASHING
rst 16 words of the bu er X is initialized to the 16 words of the message (m0; : : : ; m15). So
X[0; : : : ; 15] = |
(0; |
1; |
|
2; |
3; |
4; |
5; |
6; |
7; |
8; |
9; |
10; 11; 12; |
13; |
14; |
15); |
||||
X[16; : : : ; 31] = (7; |
4; |
13; |
1; |
10; 6; |
15; 3; 12; 0; |
9; |
5; |
2; |
14; |
11; |
8); |
||||||||
X[32; : : : ; 47] = (3; 10; |
14; |
4; |
9; 15; 8; |
1; |
2; |
7; |
0; |
6; 13; 11; |
5; |
12); |
|||||||||
X[48; : : : ; 63] = (1; |
9; |
11; 10; |
0; |
8; |
12; 4; 13; 3; |
7; 15; 14; 5; |
6; |
2); |
|||||||||||
X[64; : : : ; 79] = (4; |
0; |
|
5; |
9; |
7; 12; 2; 10; 14; 1; |
3; |
8; |
11; |
6; |
15; |
13): |
||||||||
The message bu er Y is initialized as follows. |
|
|
|
|
|
|
|||||||||||||
Y [0; : : : ; 15] = |
(5; |
14; |
7; |
0; |
9; |
|
2; |
11; 4; |
13; |
6; |
15; |
8; |
1; |
10; |
3; |
12); |
|||
Y [16; : : : ; 31] = |
(6; |
11; |
3; |
7; |
0; 13; 5; 10; |
14; 15; |
8; 12; 4; |
9; |
1; |
2); |
|||||||||
Y [32; : : : ; 47] = (15; |
5; |
|
1; |
3; |
7; |
14; |
6; |
9; |
11; |
8; |
12; 2; 10; |
0; |
4; |
13); |
|||||
Y [48; : : : ; 63] = |
(8; |
6; |
|
4; |
1; |
3; |
11; |
15; |
0; |
|
5; 12; |
2; |
13; |
9; |
7; |
10; |
14); |
||
Y [64; : : : ; 79] = (12; 15; 10; 4; |
1; |
|
5; |
8; |
7; |
|
6; |
2; |
13; |
14; |
0; |
3; |
9; |
11): |
|||||
{ Rounds in the left and right lines apply the following constants:
Round |
left line t` |
right line tr |
1 |
0 |
0x50a28be6 |
2 |
0x5a827999 |
0x5c4dd124 |
3 |
0x6ed9eba1 |
0x6d703ef 3 |
4 |
0x8f1bbcdc |
0x7a6d76e9 |
5 |
0xa953fd4e |
0 |
|
|
|
{ The ith iteration (Feistel permutation) is controlled by a message word M (from either X if the iteration is used in the left line or Y , in the right line); see Figure 6.13. The value
v = (( (B; C; D) + M + A + t) s) + E
is generated and the input (A; B; C; D; E) is transformed according to (A; B; C; D; E) := F(A; B; C; D; E; ; t; s) = (E; v; B; C 10; D);
where the constant t is either t` or tr.
The hashing process is depicted in Figure 6.14. The input vector (initialized to the xed values for the rst message block or taking on digests obtained from the previous message block) is used in both lines of execution. Each line includes 5 rounds each round has 16 iterations. The rounds in the left line of execution apply functions F; G; H; K, and L while the rounds in the right line of execution use functions in the reverse order. Constants t`; tr and the rotation parameters s`; sr are used accordingly. The parameters s` and sr are chosen as follows:
6.6 MD (Message Digest) Family |
269 |
A B C D E M
α t
<< S
<< 10
v
Fig. 6.13. An iteration in RIPEMD-160
Left Iterations |
|
|
|
Values of s` |
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
||||
0 : : : 15 |
11; 14; |
15; 12; 5; |
8; 7; |
9; 11; |
13; |
14; |
15; 6; 7; 9; |
8 |
||||
16 : : : 31 |
7; 6; 8; 13; |
11; 9; 7; |
15; 7; 12; |
15; 9; 11; 7; |
13; 12 |
|||||||
32 : : : 47 |
11; 13; 6; 7; |
14; 9; 13; |
15; 14; 8; |
13; |
6; 5; 12; 7; |
5 |
||||||
48 : : : 63 |
11; 12; |
14; 15; |
14; 15; 9; |
8; |
9; 14; 5; |
6; 8; 6; 5; 12 |
||||||
64 : : : 79 |
9; 15; 5; 11; 6; 8; 13; |
12; 5; 12; |
13; 14; 11; 8; 5; |
6 |
||||||||
|
|
|
|
|
|
|
|
|
||||
Right Iterations |
|
|
|
Values of sr |
|
|
|
|
||||
0 : : : 15 |
8; 9; 9; 11; |
13; 15; 15; 5; 7; 7; 8; 11; 14; 14; |
12; 6 |
|||||||||
16 : : : 31 |
9; 13; |
15; 7; |
12; 8; 9; |
11; 7; 7; |
12; 7; 6; 15; |
13; 11 |
||||||
32 : : : 47 |
9; 7; |
15; 11; 8; 6; 6; |
14; 12; 13; 5; 14; 13; 13; 7; |
5 |
||||||||
48 : : : 63 |
15; 5; 8; 11; |
14; 14; 6; |
14; 6; 9; |
12; |
9; 12; 5; |
15; 8 |
||||||
64 : : : 79 |
8; 5; |
12; 9; |
12; 5; 14; 6; 8; 13; 6; |
5; 15; 13; |
11; 11 |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
6.6.4 HAVAL
HAVAL or a one-way hashing algorithm with variable length of output [548]. It compresses an arbitrarily long message into a digest of the length either 128, 160, 192, 224, or 256 bits. HAVAL allows to trade speed versus security by the optional number of passes: 3 (fast and least secure), 4 (moderate speed and security), and 5 (slowest and highly secure). HAVAL uses a 3-bit VERSION eld which indicates the version number of HAVAL { the current number is 1. A 3-bit PASS eld speci es the number of passes chosen by the user. A 10-bit FPTLEN eld de nes the requested length of the digest. A 64-bit MSGLEN eld is used to store the length of the processed message.
270 |
6 HASHING |
|
|
|
|
A B C D E |
|
|
|
X[0,...,15] |
1st Round |
1st Round |
Y[0,...,15] |
|
t l |
t r |
|||
F |
L |
|||
s l |
s r |
|||
|
|
|||
X[16,...,31] |
2nd Round |
2nd Round |
Y[16,...,31] |
|
t l |
t r |
|||
G |
K |
|||
s l |
s r |
|||
|
|
|||
X[32,...,47] |
3rd Round |
3rd Round |
Y[32,...,47] |
|
t |
t r |
|||
H |
H |
|||
s ll |
s r |
|||
X[48,...,63] |
4th Round |
4th Round |
Y[48,...,63] |
|
t |
t r |
|||
K |
G |
|||
s ll |
s r |
|||
X[64,...,79] |
5th Round |
5th Round |
Y[64,...,79] |
|
t |
t r |
|||
L |
F |
|||
s ll |
s r |
Fig. 6.14. General diagram of RIPEMD-160
Hashing starts from padding. A message is appended bit 1 followed by enough 0s so it becomes congruent 944 modulo 1024. An 80-bit string (VERSION, PASS,FPTLEN,MSGLEN) is appended to the padded message. The resulting message is a multiple of 1024 bits. The hashing proceeds in a block-by-block fashion (Figure 6.15). The folding tailors the length of the digest to the requested one.
A 1024-bit message m is divided into thirty-two 32-bit message blocks (words) so m = (m0; : : : ; m31). The general steps executed in HAVAL are depicted in Figure 6.16. The addition modulo 232 performed on corresponding words, completes the process. Each pass H1; H2; H3; H4, and H5 employs a Boolean function in seven variables. They are
F1(X0; : : : ; X6) = X0 (X0 ^ X1) (X1 ^ X4) (X2 ^ X5) (X3 ^ X6); F2(X0; : : : ; X6) = X0 (X0 ^ X2) (X1 ^ X2) (X1 ^ X4) (X2 ^ X6)
(X3 ^ X5) (X4 ^ X5) (X1 ^ X2 ^ X3) (X2 ^ X4 ^ X5);