Chapter 6. New HASH Function. 6.1 Message Authentication. Message authentication is a mechanism or service used for verifying

Similar documents
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Hash Algorithm Module No: CS/CNS/28 Quadrant 1 e-text

Spring 2010: CS419 Computer Security

Digests Requirements MAC Hash function Security of Hash and MAC Birthday Attack MD5 SHA RIPEMD Digital Signature Standard Proof of DSS

S. Erfani, ECE Dept., University of Windsor Network Security

Winter 2011 Josh Benaloh Brian LaMacchia

CSCE 715: Network Systems Security

S. Erfani, ECE Dept., University of Windsor Network Security. All hash functions operate using the following general principles:

Lecture 1 Applied Cryptography (Part 1)

Unit III. Chapter 1: Message Authentication and Hash Functions. Overview:

Introduction to Network Security Missouri S&T University CPE 5420 Data Integrity Algorithms

Computer Security: Principles and Practice

Cryptographic Hash Functions

CSC 474/574 Information Systems Security

Data Encryption Standard (DES)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Security Requirements

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Delineation of Trivial PGP Security

Cryptographic Algorithms - AES

UNIT III 3.1DISCRETE LOGARITHMS

Message Authentication Codes and Cryptographic Hash Functions

Message Authentication and Hash function

ISO/IEC INTERNATIONAL STANDARD

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Encryption I. An Introduction

Chapter 3 Block Ciphers and the Data Encryption Standard

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Cryptography and Network Security Chapter 12. Message Authentication. Message Security Requirements. Public Key Message Encryption

Content of this part

(2½ hours) Total Marks: 75

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Practical Aspects of Modern Cryptography

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

P2_L6 Symmetric Encryption Page 1

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY JUNE 2014

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

KALASALINGAM UNIVERSITY

Cryptography and Network Security

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Symmetric Cryptography. Chapter 6

Encryption. INST 346, Section 0201 April 3, 2018

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Ref:

CS408 Cryptography & Internet Security

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Secret Key Cryptography

Network Security Essentials

Computer Security 3/23/18

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Kurose & Ross, Chapters (5 th ed.)

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Solutions to exam in Cryptography December 17, 2013

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

CRYPTOGRAPHY & DIGITAL SIGNATURE

Cryptographic Concepts

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

ENHANCED AES ALGORITHM FOR STRONG ENCRYPTION

Security. Communication security. System Security

Cryptography and Network Security. Sixth Edition by William Stallings

Symmetric Encryption Algorithms

Content of this part

Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

FPGA Based Design of AES with Masked S-Box for Enhanced Security

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

CS-E4320 Cryptography and Data Security Lecture 5: Hash Functions

ROEVER ENGINEERING COLLEGE Elambalur,Perambalur DEPARTMENT OF CSE NP UNIT-I

PGP: An Algorithmic Overview

Implementation of the AES as a Hash Function for Confirming the Identity of Software on a Computer System

MD5 Message Digest Algorithm. MD5 Logic

Cryptography Functions

A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ).

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Cryptography MIS

Cryptographic Hash Functions

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Chapter 7 Advanced Encryption Standard (AES) 7.1

AIT 682: Network and Systems Security

Lecture 5. Cryptographic Hash Functions. Read: Chapter 5 in KPS

Cryptographic Hash Functions. William R. Speirs

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Cryptography and Network Security

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Computational Security, Stream and Block Cipher Functions

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Security: Cryptography

CPSC 467b: Cryptography and Computer Security

Hash Function. Guido Bertoni Luca Breveglieri. Fundations of Cryptography - hash function pp. 1 / 18

CPSC 467b: Cryptography and Computer Security

Cryptography and Network Security. Sixth Edition by William Stallings

1.264 Lecture 28. Cryptography: Asymmetric keys

A Survey On SecureImage Encryption Technique Using Blowfish And Chaos

Data Integrity & Authentication. Message Authentication Codes (MACs)

CSCI 454/554 Computer and Network Security. Topic 4. Cryptographic Hash Functions

Transcription:

Chapter 6 New HASH Function 6.1 Message Authentication Message authentication is a mechanism or service used for verifying the integrity of a message. Message authentication assures that the data received are exactly as sent by i.e., contain no modification, insertion, deletion, or replay and that the purported identity of the sender is valid. Symmetric encryption provides authentication among those who share the secret key. Encryption of a message by a sender s private key also provides a form of authentication. The two most common cryptographic techniques for message authentication are a message authentication code (MAC) and secure hash function. A MAC is an algorithm that requires the use of a secret key. A MAC takes a variable length message and a secret key as input and produces an authentication code. A recipient in possession of the secret key can generate an authentication code to verify the integrity of the message. A hash function maps a 110

variable length message into a fixed length hash value, or message digest. For message authentication, a secure hash function must be combined in some fashion with a secret key. 6.1.1 Authentication Requirements In the context of communication across a network, the following attacks can be identified: Disclosure: Release of message contents to any person or process not processing the appropriate cryptographic key. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented application, the frequency and duration of connections could be determined. In either a connected-oriented or connectionless environment, the number and length of the messages between the parties could be determined. Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or non receipt by someone other than the message recipient. Content modification: changes to the contents of a message, 111

including insertion, deletion, transposition, and modification. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and recording. Timing modification: Delay or replay of messages. In a connectionoriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message could be delayed or replayed. Source repudiation: Denial of transmission of message by source. Destination repudiation: Denial of receipt of message by destination. 6.1.2 Authentication Functions Following are the commonly used functions for authentication. Message Encryption: The cipher text of the entire message serves as its authentication. A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the 112

plaintext of the message. In addition, we may say that B is assured that the message was generated by A. The message must have come from A because A is the only other party that possesses secret key K and therefore the only other party with the information necessary to construct ciphertext that can be decrypted with K. Furthermore, if message M is recovered, B knows that none of the bits of M have been altered, because an opponent that does not know K would not know how to alter the bits in the ciphertext to produce desired changes in the plaintext Message Authentication Code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as authentication. An alternative technique involves the use of a secret key to generate a small fixed-size block of data, known as a cryptographic checksum or MAC that is appended to the message. This technique assumes that two communication parties say A and B, share a common secret key K. When A has a message to be sent to B, it calculates the MAC as a function of the message and the key. The message and the MAC are transmitted to the intended recipient B. The recipient performs the same calculation on the received message, using the same secret key to generate a new MAC. The received MAC is compared to the calculated 113

MAC and if they match, then accept the received message. Hash Function: A function that maps a message of any length into a fixed-length hash value, which serves as an authentication. A hash function accepts a variable-size message M as input and produces a fixed-size output, referred to as a hash code H(M). The hash code is also referred to as a message digest or hash value. The hash code is a function of all the bits of the message and provides an error-detection capability. A change to any bit or bits in the message results in a change to the hash code. Fig.6.1 a simple block diagram hash function generator. The message M Figure 6.1: Encrypt message plus hash code plus concatenated hash code H(M) is encrypted using symmetric encryption. Because only A and B share the secret key, the message must have come from A and has not been altered. The hash code provides the structure or redundancy required to achieve authentication. Because encryption is applied to the entire message plus hash code, confidentiality is also provided. Fig.6.2 shows the 114

block diagram of hash function generator using a shared secret key. Only the hash code is encrypted using the symmetric encryption. Figure 6.2: Encrypt hash code with shared secret key This reduces the processing burden for those applications that do not require confidentiality. Fig.6.3 shows hash function generator using sender s private key in public key cryptography Figure 6.3: Encrypt hash code with sender s Private key Only the hash code is encrypted, using the public key encryption algorithm with the sender s private key, this provides authentication. It also provides digital signature, because only the sender could have produced the encrypted hash code as shown in Fig.6.4 If confidentiality as well as the digital signature is desired then the message plus the private- key-encrypted hash code can be encrypted using a symmetric secret key. This is a common technique 115

Figure 6.4: Encrypt result of encrypted hash code with shared secret key used as shown in Fig.6.5 Figure 6.5: Compute hash code of message plus secret key It is possible to use a hash function but no encryption for message authentication as shown in Fig.6.6. The technique assumes that the two communicating parties share a common secret value K. A computes the hash over the communication message of M and K and appends the resulting hash value to M. Because the secret key value itself, if not sent, an opponent cannot modify an intercepted message and cannot generate a false message. 116

Figure 6.6: Encrypt the result of hash code of message plus secret key 6.2 Hash Functions A hash function value h is generated by a function H of the form h = H(M), where M is a variable-length message and H(M) is the fixed length hash value. The hash value is appended to the message at the source at a time when the message is assumed or known to be correct. The receiver authenticates that message by recomputing the hash value. 6.2.1 Requirements for a hash function To be useful for message authentication, a hash function H must have the following properties. H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is relatively easy to compute for any given x, making both hardware and software implementing practical. For any given value h, it is computationally unfeasible to find 117

x such that H(x) = h. This is referred as the one-way property. For any given block x, it is computationally unfeasible to find y x, such that H(y) = H(x). This is referred to as weak collision resistance. It is computationally unfeasible to find any pair(x, y) such that H(x) = H(y). This is referred to as strong collision resistance. 6.2.2 Security of Hash Function The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm. One-way: For any given code h, it is computationally unfeasible to find x such that H(x) = h. Hence the level of effort required is 2 n. Weak collision resistance: For any given block x, it is computationally unfeasible to find y x with H(y) = H(x). The level of effort required is 2 n. Strong collision resistance: It is computationally unfeasible to find any pair (x, y) such that H(x) = H(y). The level of effort required is 2 n/2. 118

6.2.3 Message Digest Hash (MDH) Hash functions of the message digest family are iterated hash functions. They share a common structure of the compression function. It consists of two major parts, namely, message expansion and consecutive evaluation of number of similar steps. The Message Digest-4 (MD-4) algorithm compresses an input with a maximum length of 2 64 to a 128-bit hash value. The size of one message block in MD-4 is 512 bit. The input message is padded to fit this message block size. The padding scheme always appends a single bit 1 to the end of the message. Then, 0 s are appended until the message length is congruent to 448 modulo 512. Finally, the 64-bit representation of the message length, before the padding was applied is appended. Each 512-bit message block of the padded message is compressed by the compression function which consists of three rounds having 16 steps each. In each round a different Boolean functions is used. In MD-4 there are three Boolean functions. Because of the initial cryptanalysis that was done on MD-4 by Ralph Merkel and Eli Biham, MD-4 was improved to MD-5 by Rivest. The structure of MD-5 is quite similar to MD-4 but there are four linear Boolean functions and four rounds. However, there have been significant improvements in collision attacks on these hash functions. 119

6.2.4 Secure Hash Algorithm (SHA) Secure Hash Algorithm was developed by the National Institute of Standards and Technology (NIST)and published as a federal information processing standard (FIPS 180) in 1993; a revised version was issued as FIPS 180-1 in 1995 and is generally referred to as SHA-1. The actual standards document is entitled Secured Hash Standard. SHA is based on the hash function MD4 and its design closely models MD4. SHA-1 is also specified in RFC 3174, which essentially duplicates the material in FIPS 180-1, but adds a C code implementation. SHA-1 produces a hash value of 160 bits. In 2002, NIST produced a revised version of the standard. FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512. Table 6.1 shows the comparison of SHA parameters. These new ver- Table 6.1: Comparison of SHA parameters SHA-1 SHA-256 SHA-384 SHA-512 Message digest size 160 256 384 512 Message size < 2 64 < 2 64 < 2 128 < 2 128 Block size 512 512 1024 1024 Word size 32 32 64 64 Number of steps 80 64 80 80 Security 80 128 192 256 120

sions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA-1. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on the other SHA versions by 2010. Shortly thereafter, a research team described an attack in which two separate messages could be found that they deliver the same SHA-1 hash using 2 69 operations, far fewer than the 2 80 operations previously thought needed to find a collision with an SHA-1 hash. This result should hasten the transition to the other versions of SHA. 6.3 Whirlpool Hash Function The Whirlpool Hash Algorithm is 512-bit hash function designed by Vincent Rijmen and Paulo S.L.M. Barreto. It uses a symmetrickey block cipher based on AES, known as the Whirlpool Cipher. The Whirlpool Hash Function is endorsed by New European Schemes for Signatures, Integrity and Encryption (NESSIE). It has also been adopted by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard. The Whirlpool is based on the use of a block cipher for the compression function. The following are potential draw backs of the block cipher. 121

Block ciphers do not possess the properties of randomizing functions. For example they are invertible. This lack of randomness may lead to weaknesses that can be exploited Block ciphers typical exhibit other regularities or weaknesses Typically block cipher based hash functions are significantly slower than hash functions based on a compressed functions, specifically designed for the hash functions. A principal measure of the strength of a hash function is the length of the hash code in bits. For DES it is 64-bits or 128- bits, resulting in a hash code of questionable strength. However, since the adoption of AES, there has been renewed interest in developing a secure hash function based on strong block cipher and exhibiting good performance. Whirlpool is block cipher based hash function intended to provide security and performance that is comparable than that found in non block cipher based hash functions such as SHA. Whirlpool has the following features: The hash code length is 512-bits, equaling the longest hash code available with SHA. The overall structure of the hash function is one that has been shown to be resistant to the usual attacks on block cipher based hash codes. 122

The underlying block cipher based on AES and is designed to provide for implementation in both software and hardware i.e both compact and exhibits good performance The design of whirlpool sets the following security goals: The expected workload of generating a collision is of the order of the 2 n/2 executions of whirlpool. Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2 n executions of whirlpool. The given is a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2 n executions of Whirlpool. It is unfeasible to detect systematic correlations between any linear combinations of input bits and any linear combinations of bits of the hash results or to predict what bits of the hash result will change the value when certain input bits are flipped. This means resistance against linear and differential attacks. The Whirlpool hash structure is based on the Miyaguchi-Preneel scheme and consists of 10 rounds. Fig.6.7 shows the model of single iteration of Whirlpool function. P is Plain text or i th block of input message, C is cipher text, K is encryption key, H i is the i th intermediate hash value, F F is feed forward value 123

Figure 6.7: Model of Single Iteration of the Whirlpool Hash Function 6.3.1 Hash Function Structure Given a message consisting of a sequence of blocks m 1, m 2, m t, the Whirlpool hash function is expressed as follows: H 0 = Initial Value H i = W (H i 1, m i ) + H i 1 + m i H t = Final Hash Code value. In terms of the model, the encryption key input for each iteration is the intermediate hash value from the previous iteration; the plaintext is the current message block; and the feed-forward value is the bitwise XOR of the current message block and the intermediate hash value from the previous iteration. Whirlpool Algorithm The algorithm takes as input a message with a maximum length of less than 2 256 bits and produces as output a 512-bit message digest. The input is processed in 512-bit blocks. Fig.6.8 depicts 124

the overall processing of a message to produce a digest. Figure 6.8: Message Digest Generation using Whirlpool Message Preparation The processing consists of the following steps: Append padding bits: The message is padded so that its length in bits is an odd multiple of 256. Padding is always added, even if the message is already of the desired length. For example, if the message is 256 3 = 768 bits long, it is padded by 512 bits to a length of 256 5 = 1280 bits. Thus, the number of padding bits is in the range of 1 to 512. Append length: A block of 256 bits is appended to the message. This block is treated as an unsigned 256-bit integer (most significant byte first) and contains the length in bits of the original message (before the padding). The outcome of the first two steps yields a message that is an integer multiple of 512 bits in length. In Fig.6.8, the expanded message 125

is represented as the sequence of 512-bit blocks m 1, m 2, m t so that the total length of the expanded message is t 512 bits. These blocks are viewed externally as arrays of bytes by sequentially grouping the bits in 8-bit chunks. However, internally, the hash state H i is viewed as an 8 8 matrix of bytes. The transformation between the two is explained subsequently. Initialize hash matrix: An 8 8 matrix of bytes is used to hold intermediate and final results of the hash function. The matrix is initialized as consisting of all 0-bits. Process the message in 512-bit (64-byte) blocks. The heart of the algorithm is the block cipher W. The Block Cipher W Whirlpool uses a block cipher that is specifically designed for use in the hash function. The block cipher W, which has a similar structure and uses the same elementary functions as AES, uses a block size and a key size of 512-bits. Although W is similar to AES, it is not simply an extension. AES operates on a state of 4 4 bytes, whereas W operates on a state of 8 8 bytes. W uses a row-oriented matrix whereas AES uses a column-oriented matrix. A comparison between AES and W is presented in Table 6.2 126

Table 6.2: Comparison of AES and W Block ciphers W AES Block size(bits) 512 128 Key size(bits) 512 128,192 or 256 Matrix orientation Input is mapped row-wise Input is mapped columnwise Number of rounds 10 10, 12 and 14 Key expansion W round function Dedicated expansion algorithm GF (2 8 ) polynomial x 8 +x 4 +x 3 +x 2 +1 (0x11D) x 8 + x 4 + x 3 + x + 1 (0x11B) Origin of S-box Recursive structure Multiplicative inverse in GF (2 8 ) + affine transformation Origin of round constants Successive entries of the S- box Elements 2 i of GF (2 8 ) Diffusion layer Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Left multiplication by 4 4 circulant MDS matrix (2, 3, 1, 1) - mix columns Permutation Shift columns Shift rows 127

6.3.2 The Overall Structure Fig.6.9 shows the overall structure of W. The encryption algorithm takes a 512-bit block of plaintext and a 512-bit key as input and produces a 512-bit block of cipher-text as output. The encryption algorithm involves the use of four different functions, or transformations which are used in each round are: Substitute Bytes (SB) Shift Columns (SC) Mix Rows (MR) Add Key Round (AK) W consists of a single application of AK followed by 10 rounds that involve all four functions. Each round r can be expressed as a round function RF which is a composition of the above functions: RF (K r ) = AK[K r ] MR SC SB Substitute Bytes The substitute byte function (SB) is a simple table lookup that provides a nonlinear mapping. W defines a 16 16 matrix of byte values, called an S-box that contains a permutation of all possible 256, 8-bit values. Each individual byte of c-state is mapped into a new byte in the following way: 128

Figure 6.9: : The Whirlpool Cipher W 129

The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a column value. These row and column values serve as indices into the S-box to select a unique 8-bit output value. For example, the hexadecimal value 95 h references row 9, column 5 of the S-box, which contains the value ba h. Accordingly, the value 95 h is mapped into the value ba h. The S-box can be generated by using a recursive structure. It consists of two nonlinear layers, each containing two 4 4 S-boxes separated by a 4 4 randomly generated box. Each of the boxes maps a 4-bit input into a 4-bit output. Shift Columns The Shift Columns cause a circular downward shift of each column of c state except the first column. For the second column, a 1-byte circular downward shift is performed; for the third column, a 2- byte circular downward shift is performed; and so on. The SC function serves as the permutation layer. Mix Rows Any Block Cipher warrants having a diffusion layer, Mix Rows serves this purpose in Whirlpool. This is achieved by having each input bit affect the value of many output bits; generally, this results in each output bit being affected by many input bits. The diffusion layer (mix rows) achieves diffusion within each row individually. 130

Each byte of a row is mapped into a new value that is a function of all eight bytes in that row. The transformation can be defined by the matrix multiplication: B = C A Where, A is the input matrix, B is the output matrix, and C is the transformation matrix. The C matrix used in mix row operation is given below. 01 01 04 01 08 05 02 09 09 01 01 04 01 08 05 02 02 09 01 01 04 01 08 05 05 02 09 01 01 04 01 08 08 05 02 09 01 01 04 01 01 08 05 02 09 01 01 04 04 01 08 05 02 09 01 01 01 04 01 08 05 02 09 01 All the elements in the C-matrix are hexadecimal numbers. Each element in the product matrix is the sum of the products of elements of one row and one column. In this case, the individual additions and multiplications are performed in GF (2 8 ) with the irreducible polynomial f(x) = x 8 + x 4 + x 3 + x 2 + 1, i.e., 11D h. Add Round Key In the Add round key layer, the 512 bits of c-state are bitwise XORed with the 512 bits of the round key. It is done byte by byte on the C state matrix. Whirlpool doesn t have a dedicated key 131

expansion algorithm. It uses a copy of the encryption algorithm for key expansion. The round keys for the key expansion are 10 round constants. The key-generation algorithm treats the cipherkey as plaintext and encrypts it, thus generating a round key for the encryption algorithm at the end of every round of the keyexpansion algorithm. Key Expansion for W As shown in Figure 2.3, key expansion is achieved by using the block cipher itself, with a round constant serving as the round key for the expansion. The round constant for round 1 r 10 is a matrix RC[r] in which only the first row is nonzero, and is defined as follows: RC[r] 0,j = S[8(r 1) + j], (0 j 7), (1 r 10) RC[r] i,j = 0, (1 i 7), (0 j 7), (1 r 10) Using the round constants, the key schedule expands the 512-bit cipher key K onto a sequence of round keys K 0, K 1,..., K 10 K 0 = K K r = RF [RC[r]] (K r 1 ) where RF is the round function defined earlier. Note that for the Add Round Key phase of each round, only the first row of k-state is altered. 132

Whirlpool Performance and Security The design of Whirlpool sets the following security goals: Assume we take as hash result the value of any n-bit substring of the full Whirlpool output, The expected workload of generating a collision is of the order of 2 n/2 executions of Whirlpool. Given an n-bit value, the expected workload of finding a message that hashes to that value is of the order of 2 n executions of Whirlpool. Given a message and its n-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2 n executions of Whirlpool. It is unfeasible to detect systematic correlations between any linear combination of input bits and any linear combination of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks). 6.4 New Whirlpool Hash Structure In this New Whirlpool Hash Structure most of the structure is same as existing Whirlpool structure, except the S-box generation. 133

In this structure we introduced the dynamic S-box generated by using two keys namely, Permute Key and Auxiliary Key. Depending on the permute key initial permutation of the S-box entries are modified, Using auxiliary key, affine transformation constants A matrix, constant C and irreducible polynomial m are calculated. Now dynamic S-box is constructed by using the affine transformation y = Ax C mod m. The steps to generate the dynamic S-box are as follows: Select a permute key of variable length from 1 byte to 256 byte. Initialize an array S[256] with 00 h to ff h. Initialize another array T[256], by using the secret key. If the key length is less than 256 bytes, repeatedly copy the key bytes till the last element of the array. Initial permutation is done by using T as follows: j = 0; for i = 0 to 255; do j = (j + S[i])mod256; swap (S[i], S[j]); end; Construct an 8 x 8, non-singular A matrix entries with GF(2), depending on Auxiliary key. 134

Using Affine transformation y = Ax C mod m, construct an S-box. First convert S array into new S array by finding the multiplicative inverse of each element by using a key dependent irreducible polynomial m. Constant C is calculated by using key. Remaining procedure is as in existing Whirlpool Hash generation. 6.5 Advantages Over Whirlpool Hash Function The expected workload of generating a collision is of the order of the 2 128+1638 = 2 1766. Given an 512-bit hash value, the expected workload of finding a message that hashes to the same value is of the order of 2 512+1638 = 2 2150 executions of new Hash function. The given is a message and its 512-bit hash result, the expected workload of finding a second message that hashes to the same value is of the order of 2 512+1638 = 2 2150 executions of new Hash function. It is unfeasible to detect systematic correlations between any linear combination of input bits and any linear combination 135

Table 6.3: Comparison of W and New W Block ciphers W-block cipher New W-block cipher Block size(bits) 512 512 Key size(bits) 512 512 Matrix orienta- Input is mapped row-wise Input is mapped row-wise tion Number rounds of 10 10 Key expansion W round function W round function GF (2 8 ) polynomial (11d h ) Key dependent irreducible Polynomial Origin of S-box Recursive structure Multiplicative inverse in GF (2 8 ) + Key dependent affine transformation Origin of round constants Successive entries of the S- box Successive entries of the S- box Diffusion layer Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Right multiplication by 8 8 circulant MDS matrix (1, 1, 4, 1, 8, 5, 2, 9) - mix rows Permutation Shift columns Shift columns 136

of bits of the hash result, or to predict what bits of the hash result will change value when certain input bits are flipped (this means resistance against linear and differential attacks). 6.6 Results The modified Hash function is constructed with the key dependent S-box and tested with different text files of different sizes. It is found that a single bit change in the text or a single bit in any one key (secret key/permute key/auxiliary key) changes hash value to great extent. Some of the results are tabulated in Table6.4 and Table6.5 Table 6.4: Hash value for a text file1 512 bit Hash value for a text of 2196 bytes Original text Last bit changed Initial bit changed Change in one key bit 83422F2B0C5C0702 B69864A4486E23F3A 3D2F0E09B6F4767B 03E8AD681FFCBEDF 4C3BD78111F5B209 38273825F4854334 B6C3A1CAA7D49145 1BF6BBF286677A33 C9B963BDFA2D4AA3 5BDA54B65ECF739F 462806AA7EB6CFC3 44BDBBD59578173C 5A9BC39F07A359D2 C317DF9F5AD392B8 04DBBDB82B6054D1 6F5EDFCB1656393C BB5F13BC014C1B50 56339628D1396A86 864A4E4CA315DBE3 BA2DD0125E5FAC78 589F24CDEEC8EB9F AD9D8EA62AFBC49C 033CE227AF6012B7 07FC1FE7D5C1C168 70F037D0C1E4209C D0160B97D701FF54 DC165F60B04F12AE 9FEC9FDB0C96AD94 CB47C10B14492827 78046ADD71F13F4C 93DDEF1A2676CD38 D1A56E7E99D0DD8E 6.7 Conclusion The implementations of new Hash Algorithm with key dependent S-box are developed and tested on various kinds of data. Typically, 137

Table 6.5: Hash value for a text file2 512 bit Hash value for a text of 7 bytes Original text Last bit changed Initial bit changed Change in one key bit 6D0032E7FBB38BC4 3D6442E9A756C3C2 AC3BD1A4D8353D67 3A3DE4CF5E7862DE FF4F5AE3ADA6555C 44149183FAE89221 39973292A9A14C34 2385E9E8CB4BB000 5BC0B76FD7FE1E3A 91F9D86D0D9E08E9 D45B7123301396DF D051F0995DFD2E9E 1623D375A7705EF8 67E33192B939ED93 AF9BFA8E9073976E C9F0CD40CF92B484 17CCEA7389484186 600C1C3996A69B89 C7DFD2BDB4E17F95 014D8FA5CB7B239F 0DF19D17B6216F30 09C3F8E1994DAEA0 E07431B8A8827406 BBD736B2A131E3D7 3D02E1F85B8CAA4E FCFBBD41EB7F631E BDC3C18605900C26 3D4768D6E191DD79 EBEF046D96B7749A 6F0A9AE400120B53 58539560EAB06420 C4D6019ACF1A264E data in the forms of text, image or audio is encrypted and then a corresponding message digest is generated using new hash function. In each case a single bit of data was changed and new hash was generated and found that the message digest was completely different for each case. 138

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback