Presentation is loading. Please wait.

Presentation is loading. Please wait.

12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions.

Published byPhoebe Wilkerson Modified over 9 years ago

Similar presentations

Presentation on theme: "12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions."— Presentation transcript:

1 12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions

2 12.2 Objectives  To introduce general ideas behind cryptographic hash functions  To discuss the Merkle-Damgard scheme as the basis for iterated hash functions  To distinguish between two categories of hash functions:  To discuss the structure of SHA-512.  To discuss the structure of Whirlpool.

3 12.3 12.1 INTRODUCTION A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length. The ultimate goal of this chapter is to discuss the details of the two most promising cryptographic hash algorithms – SHA-512 and Whirlpool.

4 12.4 12.1.1 Iterated Hash Function All cryptographic hash functions need to create a fixed-size digest out of a variable-size message. Creating such a function is best accomplished using iteration. Instead of using a hash function with variable-size input, a function with fixed-size input is created and is used a necessary number of times. The fixed-size input function is referred to as a compression function. It compresses an n -bit string to create an m -bit string, where normally n > m. The scheme is referred to as an iterated cryptographic hash function.

5 12.5 12.1.1 Iterated Hash Function Merkle-Damgard Scheme Figure 12.1 Merkle-Damgard scheme The Merkle-Damgard scheme is an iterated hash function that is collision resistant if the compression function is collision resistant H i = f(H i-1, M i ) IV(initial value)

6 12.6 The Merkle-Damgard scheme is the basis for many cryptographic hash functions today. The only thing we need to do is design a compression function that is collision resistant and insert it in the Merkle-Damgard scheme. 12.1.2 Two Groups of Compression Functions Two different approaches in designing a hash function: 1. The compression function is made from scratch. Message Digest (MD), Secure Hash Algorithm(SHA) 2. A symmetric-key block cipher serves as a compression function. Whirlpool

7 12.7 These compression functions are specially designed for the purposes they serve. Message Digest (MD) Several hash algorithms were designed by Ron Rivest. MD2, MD4, and MD5. MD5 is a strengthened version of MD4 that divides the message into blocks of 512 bits and creates a 128 -bit digest. It turns out that a message digest of size 128 bits is too small to resist collision attack. 12.1.2 Two Groups of Compression Functions Hash Functions made from Scratch

8 12.8 Secure Hash Algorithm (SHA) The Secure Hash Algorithm (SHA) is a standard that was developed by NIST and published as FIPS180. The standard is mostly based on MD5. The standard was revised in 1995 under FIPS180-1, which includes SHA-1. It was revised later under FIPS180-2, which defines four new versions : SHA-224, SHA-256, SHA-384, and SHA-512. 12.1.2 Two Groups of Compression Functions Hash Functions made from Scratch (Continued)

9 12.9 12.1.2 Two Groups of Compression Functions Secure Hash Algorithm (SHA) (Continued) Other Algorithms RACE Integrity Primitive Evaluation Message Digest (RIPEMD) has a standard several versions: RIPEMD-160. HAVAL is a variable-length hashing algorithm with a message digest of size 128, 160, 192, 224, and 256. The block size is 1024 bits

10 12.10 A symmetric-key block cipher can be used as a compression function. Several secure symmetric-key block cipher, such as DES or AES, can be used to make a one-way function instead of creating a new compression function. The block cipher in this case only performs encryption. The most promising one is Whirlpool. 12.1.2 Two Groups of Compression Functions Hash Functions based on Block Ciphers

11 12.11 Rabin Scheme Figure 12.2 Rabin scheme 12.1.2 Two Groups of Compression Functions This scheme is based on the Merkle-Damgard scheme. The message block is used as the key. The size of digest is the size of data block cipher in the underlying cryptosystem. This scheme is subject to a meet-in-the-middle attack. because the adversary can use the decryption algorithm.

12 12.12 Davies-Meyer Scheme Figure 12.3 Davies-Meyer scheme 12.1.2 Two Groups of Compression Functions This scheme is basically the same as the Rabin scheme except the it uses forward feed to protect against meet-in-the-middle attack.

13 12.13 Matyas-Meyer-Oseas Scheme Figure 12.4 Matyas-Meyer-Oseas scheme 12.1.2 Two Groups of Compression Functions This scheme is a dual version of the Davis-Meyer scheme. The scheme can be used if the data block and the cipher key are the same size. AES is a good candidate for this purpose.

14 12.14 Miyaguchi-Preneel Scheme Figure 12.5 Miyaguchi-Preneel scheme 12.1.2 Two Groups of Compression Functions This scheme is an extended version of the Matias-Meyer-Oseas scheme. This is the scheme used by the Whirlpool hash function.

15 12.15 12.2 SHA-512 SHA-512 is the version of SHA with a 512-bit message digest. This version, like the others in the SHA family of algorithms, is based on the Merkle-Damgard scheme. SHA-512 is the latest version of SHA family with a more complex structure than others and the longest message digest.

16 12.16 12.2.1 Introduction Figure 12.6 Message digest creation SHA-512

17 12.17 SHA-512 insists that the length of the original message be less than 2 128 bits. Note that SHA-512 creates a 512 -bit message digest out of a message less than 2 128. 12.2.1 Introduction Message Preparation

18 12.18 This example shows that the message length limitation of SHA-512 is not a serious problem. Suppose we need to send a message that is 2 128 bits in length. How long does it take for a communications network with a data rate of 2 64 bits per second to send this message? Example 12.1 Solution A communications network that can send 2 64 bits per second is not yet available. Even if it were, it would take many years to send this message. This tells us that we do not need to worry about the SHA-512 message length restriction. 12.2.1 Introduction

19 12.19 This example also concerns the message length in SHA-512. How many pages are occupied by a message of 2 128 bits? Example 12.2 Solution Suppose that a character is 32, or 2 5, bits. Each page is less than 2048, or 2 11, characters. So 2 128 bits need at least 2 128 / 2 16, or 2 112, pages. This again shows that we need not worry about the message length restriction. 12.2.1 Introduction

20 12.20 Figure 12.7 Padding and length field in SHA-512 12.2.1 Introduction Length Field and Padding Before the message digest can be created, SHA-512 requires the addition of a 128 -bit unsigned-integer length field to the message that defines the length of the message in bits. The field can define a number between 0 and 2 128 -1. (|M| + |P| +128) = 0 mod 1024 → |P| = (− |M| − 128 ) mod 1024

21 12.21 What is the number of padding bits if the length of the original message is 2590 bits? Example 12.3 Solution We can calculate the number of padding bits as follows: The padding consists of one 1 followed by 353 0 ’s. 12.2.1 Introduction

22 12.22 Do we need padding if the length of the original message is already a multiple of 1024 bits? Example 12.4 Solution Yes we do, because we need to add the length field. So padding is needed to make the new block a multiple of 1024 bits. 12.2.1 Introduction

23 12.23 What is the minimum and maximum number of padding bits that can be added to a message? Example 12.5 Solution a.The minimum length of padding is 0 and it happens when ( −M − 128 ) mod 1024 is 0. This means that | M | = −128 mod 1024 = 896 mod 1024 bits. In other words, the last block in the original message is 896 bits. We add a 128 -bit length field to make the block complete. 12.2.1 Introduction

24 12.24 Example 12.5 b. The maximum length of padding is 1023 and it happens when ( −|M| −128 ) = 1023 mod 1024. This means that the length of the original message is | M | = ( −128 −1023 ) mod 1024 or the length is | M | = 897 mod 1024. In this case, we cannot just add the length field because the length of the last block exceeds one bit more than 1024. So we need to add 1023 bits to complete this block and create a second block of 896 bits. Now the length can be added to make this block complete. (Continued) 12.2.1 Introduction

25 12.25 Words Figure 12.8 A message block and the digest as words 12.2.1 Introduction SHA-512 operates on words. Each word is defined as 64 bit. Each block of the message consists of sixteen 64 -bit words. The message digest consists of only eight words.

26 12.26 Word Expansion Figure 12.9 Word expansion in SHA-512 12.2.1 Introduction Before processing, each message block (16 64 -bit words) is expanded to 80 words.

27 12.27 Show how W 60 is made. Example 12.6 Solution Each word in the range W 16 to W 79 is made from four previously-made words. W 60 is made as 12.2.1 Introduction

28 12.28 Message Digest Initialization 12.2.1 Introduction The algorithm uses eight constants, A 0 to H 0, for message digest initialization.

29 12.29 Message Digest Initialization 12.2.1 Introduction The constants are calculated from the first 8 primes ( 2, 3, 5, 7, 11, 17, and 19 ). Each value is the fraction part of square root of the corresponding prime number after converting to binary and keeping only the first 64 bits. For example, H 0, the square root of 19, ( 19 ) 1/2 = 4.358894354. Converting it to binary with only 64 bits in the fraction part, we get (Continued)

30 12.30 12.2.2 Compression Function Figure 12.10 Compression function in SHA-512 In each round, the contents of 8 previous buffers, one word ( W i ) from the expanded block, and one 64-bit constant ( K i ) are mixed together and then operated on to create a new set of 8 buffers. Final adding

31 12.31 Figure 12.11 Structure of each round in SHA-512 12.2.2 Compression Function

32 12.32 Majority Function Conditional Function Rotate Functions 12.2.2 Compression Function This is a bitwise function. If two or three bits are 1 ’s, the resulting bit is 1 ; otherwise it is 0. If E j then F j ; else G j.

33 12.33 12.2.2 Compression Function

34 12.34 There are 80 constants, K 0 to K 79, each of 64 bits. Similar to the initial values for the eight digest buffers, these values are calculated from the first 80 prime numbers ( 2, 3,…, 409 ). Each value is the fraction part of the cubic root of the corresponding prime number. For example, the 80th prime is 409, with the cubic root ( 409 ) 1/3 = 7.42291412044. Converting this number to binary with only 64 bits in the fraction part, we get The fraction part: (6C44198C4A475817) 16 12.2.2 Compression Function

35 12.35 We apply the Majority function on buffers A, B, and C. If the leftmost hexadecimal digits of these buffers are 0 x 7, 0 x A, and 0 x E, respectively, what is the leftmost digit of the result? Example 12.7 Solution The digits in binary are 0111, 1010, and 1110. a. The first bits are 0, 1, and 1. The majority is 1. b. The second bits are 1, 0, and 1. The majority is 1. c. The third bits are 1, 1, and 1. The majority is 1. d. The fourth bits are 1, 0, and 0. The majority is 0. The result is 1110, or 0 x E in hexadecimal. 12.2.2 Compression Function

36 12.36 We apply the Conditional function on E, F, and G buffers. If the leftmost hexadecimal digits of these buffers are 0 x 9, 0 x A, and 0 x F respectively, what is the leftmost digit of the result? Example 12.8 Solution The digits in binary are 1001, 1010, and 1111. a. The first bits are 1, 1, and 1. The result is F 1, which is 1. b. The second bits are 0, 0, and 1. The result is G 2, which is 1. c. The third bits are 0, 1, and 1. The result is G 3, which is 1. d. The fourth bits are 1, 0, and 1. The result is F 4, which is 0. The result is 1110, or 0 x E in hexadecimal. 12.2.2 Compression Function

37 12.37 With a message digest of 512 bits, SHA-512 is expected to be resistant to all attacks, including collision attacks. It has been claimed that this version’s improved design makes it more efficient and more secure than the previous versions. However, more research and testing are needed to confirm this claim. 12.2.3 Analysis

38 12.38 12.3 WHIRLPOOL Whirlpool is designed by Vincent Rijmen and Paulo S. Barreto. It is endorsed by the New European Schemes for Signatures, Integrity, and Encryption (NESSIE). Whirlpool is an iterated cryptographic hash function, based on the Miyaguchi-Preneel scheme, that uses a symmetric-key block cipher in place of the compression function. The block cipher is a modified AES cipher that has been tailored for this purpose.

39 12.39 Figure 12.12 Whirlpool hash function 12.3 WHIRLPOOL

40 12.40 Preparation 12.3 WHIRLPOOL Whirlpool requires that the length of the original message be less than 2 256 bits. A message needs to be padded before being processed. The padding is a single 1 -bit followed by the necessary numbers of 0 -bits to make the length of the padding an odd multiple of 256 bits. After padding, a block of 256 bits is added to define the length of the original message. This block is treated as an unsigned number. H 0 is initialized to all 0 ’s.

41 12.41 12.3.1 Whirlpool Cipher Figure 12.13 General idea of the Whirlpool cipher Whirpool cipher is a non-Feistel cipher like AES that was mainly designed as a block cipher to be used in a hash algorithm.

42 12.42 12.3.1 Whirlpool Cipher Whirpool cipher is a round cipher that uses 10 rounds. The block size and key size are 512 bits. The cipher uses 11 round keys, K 0 to K 10. Rounds States and Blocks The size of the block or state is 512 bits. A block is considered as a square matrix of 8 × 8 bytes. Unlike AES, the block-to-state or state-to-block transformation is done row by row.

43 12.43 Figure 12.14 Block and state in the Whirlpool cipher 12.3.1 Whirlpool Cipher

44 12.44 Each round uses four transformations. Figure 12.15 Structure of each round in the Whirlpool cipher 12.3.1 Whirlpool Cipher Structure of Each Round

45 12.45 Like in AES, SubBytes provide a nonlinear transformation. Figure 12.16 SubBytes transformations in the Whirlpool cipher 12.3.1 Whirlpool Cipher SubBytes

46 12.46 12.3.1 Whirlpool Cipher

47 12.47 Like in AES, the entries in Table 12.4 can be calculated algebraically using GF(2 4 ) field with the irreducible polynomials ( x 4 +x+1 ). Each hexadecimal digit in a byte is the input to minibox ( E and E -1 ). The results are fed into another minibox, R. The E boxes calculate the exponential of input hexadecimal; the R box uses a pseudorandom number generator. 12.3.1 Whirlpool Cipher SubBytes (Continued)

48 12.48 Figure 12.17 SubBytes in the Whirlpool cipher 12.3.1 Whirlpool Cipher

49 12.49 ShiftColumns Figure 12.18 ShiftColumns transformation in the Whirlpool cipher 12.3.1 Whirlpool Cipher Shifting depends on the position of the column. Column 0 goes through 0 -byte shifting (no shifting), While column 7 goes through 7 -byte shifting.

50 12.50 Figure 12.19 MixRows transformation in the Whirlpool cipher 12.3.1 Whirlpool Cipher MixRows

51 12.51 12.3.1 Whirlpool Cipher MixRows (Continued) Similar to the MixColumns transformation in AES. Multiplication of bytes is done in GF(2 8 ), but the modulus is different from the one used in AES. The Whirlpool cipher uses ( 0x11D ) or ( x 8 +x 4 +x 3 +x 2 +1 ) as modulus.

52 12.52 Figure 12.20 AddRoundKey transformation in the Whirlpool cipher 12.3.1 Whirlpool Cipher AddRoudKey The AddRoundKey transformation in the Wirlpool cipher is done byte by byte, because each round key is also a state of 8 × 8 matrix.

53 12.53 12.3.1 Whirlpool Cipher Key Expansion The key-expansion algorithm in Whirlpool is totally different from the algorithm in AES. Instead of using a new algorithm for creating round keys, Whirlpool uses a copy of the encryption algorithm (w/o preround) to create the round keys. The output of each round in the encryption algorithm is the round key for that round. Where do the round keys for the key expansion algorithm come from? Whirlpool cipher uses 10 round constants ( RC s) as virtual round keys for the key expansion algorithm.

54 12.54 Figure 12.21 Key expansion in the Whirlpool cipher 12.3.1 Whirlpool Cipher Key Expansion

55 12.55 Figure 12.22 Round constant for the third round 12.3.1 Whirlpool Cipher Round Constants Each round constant, RC r is an 8 × 8 matrix where only the first row has non-zero values. The values can be calculated using the SubBytes transformation.

56 12.56 12.3.2 Summary

57 12.57 Although Whirlpool has not been extensively studied or tested, it is based on a robust scheme (Miyaguchi-Preneel), and for a compression function uses a cipher that is based on AES, a cryptosystem that has been proved very resistant to attacks. In addition, the size of the message digest is the same as for SHA-512. Therefore it is expected to be a very strong cryptographic hash function. 12.3.3 Analysis

Download ppt "12.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 12 Cryptographic Hash Functions."

Similar presentations

Hashes and Message Digests

Hashes and Message Digests
Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.

Lecture 7 Overview. Advanced Encryption Standard 10, 12, 14 rounds for 128, 192, 256 bit keys – Regular Rounds (9, 11, 13) – Final Round is different.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
Advanced Encryption Standard

Advanced Encryption Standard
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Similar presentations

Ads by Google