Cryptographic Hash Functions

Transcription

1 Cryptographic Hash Functions

2 Cryptographic Hash Functions A cryptographic hash function takes a message of arbitrary length and creates a message digest of fixed length.

3 Iterated Hash Function A (compression) function takes a fixed size input. The function is iterated number of times. Each iteration: n-bit string is input m-bit string is output. n>m Example: Merkle-Damgard Scheme

4 Merkle-Damgard Scheme

5 Merkle-Damgard Scheme It is an iterated hash function. 1. The message length and padding are appended to create an augmented message that can be evenly divided into blocks of n bits, where n is the size of the block to be processed by the compression function. 2. The message is then considered as t blocks, each of n bits. M 1, M 2, M t The digests t iterations are H 1, H 2, H t

6 Merkle-Damgard Scheme 3. Before starting the function, H_0 is set to a fixed value, called the IV initialization vector. 4. Compression function f is such that H i = f(h i-1, M i ) 5. H_t is the cryptographic hash function of the original message, that is, h(m).

7 Merkle-Damgard Scheme

8 Two groups of compression functions 1. Compression function made from scratch 2. A symmetric-key block cipher serves as a compression function

9 Hash functions from scratch 1. Message Digest: MD 2. Secure Hash Function (SHA)

10 Hash Functions based on Block Ciphers An iterated cryptographic hash function can use a symmetric-key block cipher as a compression function.

11 Rabin Scheme Based on Merkle-Damgard scheme. Compression function = encrypting cipher Message block = key for cipher Plain text = previous digest New Message Digest = ciphertext Size of digest = size of data block used in the underlying cipher. If DES then digest = 64 bits Subject to meet-in-the-middle attack.

12 Rabin Scheme

13 Davies-Meyer Scheme Uses forward feed to protect against meetin-the-middle attack.

14 SHA-512 SHA-512 is the version of SHA with a 512- bit message digest. This version, like the others in the SHA family of algorithms, is based on the Merkle-Damgard scheme.

15 Message digest creation SHA-512

16 Message Preparation SHA-512 insists that the length of the original message be less than bits. Note SHA-512 creates a 512-bit message digest out of a message of length less than

17 Padding and length field in SHA-512

18 Example What is the number of padding bits if the length of the original message is 2590 bits? Solution We can calculate the number of padding bits as follows: The padding consists of one 1 followed by s.

19 Example Do we need padding if the length of the original message is already a multiple of 1024 bits? Solution Yes we do, because we need to add the length field. So padding is needed to make the new block a multiple of 1024 bits.

20 Example What is the minimum and maximum number of padding bits that can be added to a message? Solution a. The minimum length of padding is 0 and it happens when ( M 128) mod 1024 is 0. This means that M = 128 mod 1024 = 896 mod 1024 bits. In other words, the last block in the original message is 896 bits. We add a 128-bit length field to make the block complete.

21 Example b) The maximum length of padding is 1023 and it happens when ( M 128) = 1023 mod This means that the length of the original message is M = ( ) mod 1024 or the length is M = 897 mod In this case, we cannot just add the length field because the length of the last block exceeds one bit more than So we need to add 897 bits to complete this block and create a second block of 896 bits. Now the length can be added to make this block complete.

22 Words: SHA 512 has a message size of 1024 bits. The word size is 64 bits = 16 x words. Digest size = 512 bits = 8 words. A message block and the digest as words

23 Word Expansion: SHA 512 needs 80 words for processing. 16 word block 80 words First 16 words form the message block and the rest as shown. Word expansion in SHA-512

24 Example Show how W60 is made. Solution Each word in the range W16 to W79 is made from four previously-made words. W60 is made as

25 Message Digest Initialization Comes from first 8 primes. Fraction part of the square root of the number and in binary first 64 bits are considered. Example, 8 th prime = 19. SQUARE ROOT(19) = Converted to binary:

26 Compression function in SHA-512 Message Block = 1024 bits Total 80 rounds. Each round input = 8 words initial digest 1 word = 64 bit. One word from extended block W_0 and one 64-bit constant K_0. A new set of 8 buffers Last round the final adding with the initial digest is done.

27 Structure of each round in SHA-512

28 Majority Function Conditional Function Rotate Functions

29

30 There are 80 constants, K 0 to K 79, each of 64 bits. Similar These values are calculated from the first 80 prime numbers (2, 3,, 409). For example, the 80th prime is 409, with the cubic root (409) 1/3 = Converting this number to binary with only 64 bits in the fraction part, we get The fraction part: (6C44198C4A475817) 16

31 WHIRLPOOL Whirlpool is an iterated cryptographic hash function, based on the Miyaguchi-Preneel scheme, that uses a symmetric-key block cipher in place of the compression function. The block cipher is a modified AES cipher that has been tailored for this purpose.