Chapter 7-Hash-Function in Cryptography.ppt

11.1
The electronic equivalent of the document and fingerprint
pair is the message and digest pair.
11.1.2 Message and Message Digest
Figure 11.1 Message and digest

11.2
11.1.4 Checking Integrity
Figure 11.2 Checking integrity

11.3
A cryptographic hash function must satisfy three criteria:
preimage resistance, second preimage resistance, and
collision resistance.
11.1.5 Cryptographic Hash Function Criteria
Figure 11.3 Criteria of a cryptographic hash function

11.4
Preimage Resistance
11.1.5 Continued
Figure 11.4 Preimage

11.5
Second Preimage Resistance
11.1.5 Continued
Figure 11.5 Second preimage

11.6
Collision Resistance
11.1.5 Continued
Figure 11.6 Collision

12.7
12.1.1 Iterated Hash Function
Merkle-Damgard Scheme
Figure 12.1 Merkle-Damgard scheme

12.9
SHA-512
SHA-512
SHA-512 is the version of SHA with a 512-bit message
SHA-512 is the version of SHA with a 512-bit message
digest. This version, like the others in the SHA family
digest. This version, like the others in the SHA family
of algorithms, is based on the Merkle-Damgard
of algorithms, is based on the Merkle-Damgard
scheme.
scheme.
Introduction
Compression Function
Topics discussed in this section:
Topics discussed in this section:

12.10
12.2.1 Introduction
Figure 12.6 Message digest creation SHA-512

12.11
Message Preparation
SHA-512 insists that the length of the original message
be less than 2128
bits.
12.2.1 Continued
SHA-512 creates a 512-bit message digest out of a
message less than 2128
.
Note

12.12
12.2.1 Continued
This example shows that the message length limitation of SHA-512
is not a serious problem. Suppose we need to send a message that
is 2128
bits in length. How long does it take for a communications
network with a data rate of 264
bits per second to send this
message?
Example 12.1
Solution
A communications network that can send 264
bits per second is not
yet available. Even if it were, it would take many years to send this
message. This tells us that we do not need to worry about the
SHA-512 message length restriction.

12.13
12.2.1 Continued
This example also concerns the message length in SHA-512. How
many pages are occupied by a message of 2128
bits?
Example 12.2
Solution
Suppose that a character is 32, or 26
, bits. Each page is less than
2048, or approximately 212
, characters. So 2128
bits need at least 2128
/ 218
, or 2110
, pages. This again shows that we need not worry about
the message length restriction.

12.14
12.2.1 Continued
Figure 12.7 Padding and length field in SHA-512

12.15
12.2.1 Continued
What is the number of padding bits if the length of the original
message is 2590 bits?
Example 12.3
Solution
We can calculate the number of padding bits as follows:
The padding consists of one 1 followed by 353 0’s.

12.16
12.2.1 Continued
Do we need padding if the length of the original message is
already a multiple of 1024 bits?
Example 12.4
Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.

12.17
12.2.1 Continued
What is the minimum and maximum number of padding bits that
can be added to a message?
Example 12.5
Solution
a. The minimum length of padding is 0 and it happens when
(−M − 128) mod 1024 is 0. This means that |M| = −128 mod
1024 = 896 mod 1024 bits. In other words, the last block in the
original message is 896 bits. We add a 128-bit length field to
make the block complete.

12.18
12.2.1 Continued
Example 12.5
b) The maximum length of padding is 1023 and it happens when
(−|M| −128) = 1023 mod 1024. This means that the length of
the original message is |M| = (−128 −1023) mod 1024 or the
length is |M| = 897 mod 1024. In this case, we cannot just add
the length field because the length of the last block exceeds one
bit more than 1024. So we need to add 897 bits to complete this
block and create a second block of 896 bits. Now the length can
be added to make this block complete.
Continued

12.19
Words
12.2.1 Continued
Figure 12.8 A message block and the digest as words

12.20
Word Expansion
12.2.1 Continued
Figure 12.9 Word expansion in SHA-512

12.21
12.2.1 Continued
Show how W60 is made.
Example 12.6
Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as

12.22
Message Digest Initialization
12.2.1 Continued

12.23
12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512

12.24
12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512

12.25
Majority Function
12.2.2 Continued
Conditional Function
Rotate Functions

12.27
There are 80 constants, K0 to K79, each of 64 bits. Similar
These values are calculated from the first 80 prime
numbers (2, 3,…, 409). For example, the 80th prime is
409, with the cubic root (409)1/3
= 7.42291412044.
Converting this number to binary with only 64 bits in the
fraction part, we get
12.2.2 Continued
The fraction part: (6C44198C4A475817)16

12.28
12.2.2 Continued
We apply the Majority function on buffers A, B, and C. If the
leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?
Example 12.7
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal.

12.29
12.2.2 Continued
We apply the Conditional function on E, F, and G buffers. If the
leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?
Example 12.8
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.

12.30
With a message digest of 512 bits, SHA-512 expected to
be resistant to all attacks, including collision attacks.
12.2.3 Analysis

MD5
 designed by Ronald Rivest (the R in RSA)
 latest in a series of MD2, MD4
 produces a 128-bit hash value
 until recently was the most widely used hash
algorithm
 in recent times have both brute-force &
cryptanalytic concerns
 specified as Internet standard RFC1321

MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
 using 4 rounds of 16 bit operations on message block &
buffer
 add output to buffer input to form new buffer value
5. output hash value is the final buffer value

MD5 Compression Function
 each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
 a,b,c,d refer to the 4 words of the buffer,
but used in varying permutations
 note this updates 1 word only of the buffer
 after 16 steps each word is updated 4 times
 where g(b,c,d) is a different nonlinear
function in each round (F,G,H,I)
 T[i] is a constant value derived from sin

Strength of MD5
 MD5 hash is dependent on all message bits
 Rivest claims security is good as can be
 known attacks are:
 Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
 Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
 Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
 conclusion is that MD5 looks vulnerable soon

Chapter 7-Hash-Function in Cryptography.ppt

More Related Content

Similar to Chapter 7-Hash-Function in Cryptography.ppt (20)

More from KrishnenduRarhi (10)

Recently uploaded (20)

Chapter 7-Hash-Function in Cryptography.ppt

Editor's Notes