2. Encryption is a two-way function; what
is encrypted can be decrypted with the proper
key.
Hashing, is a one-way function that scrambles
plain text to produce a unique message digest.
With a properly designed algorithm, there is no
way to reverse the hashing process to reveal the
original password.
3. Background
• A one-way hash function, H(M), operates on an
arbitrary-length pre-image message, M
• h = H(M), where h is of length m
• Additional Characteristic:
Given M, it is easy to compute h.
Given h, it is hard to compute M such that H(M)= h.
Given M, it is hard to find another message, M’, such
that H(M) = H(M’)
• The whole point of the one-way hash function is to
provide a “fingerprint” of M that is unique
4. • But if Alice signed M by using a digital signature algorithm
on H(M), and Bob could produce M’, another message
different from M where H(M) = H(M’), then Bob could claim
that Alice signed M’.
• In some applications, “one-way”-ness is insufficient, we
need an additional requirement called collision
resistance
• Also it has to be difficult to find M and M`, such that H(M) =
H(M’).
• A protocol first described by Gideon Yuval shows how—if
the previous requirement were not true—Alice could use
the birthday attack to swindle Bob
6. • Most practical one-way hash functions produce 128-bit
hashes
• This forces anyone attempting the birthday attack to hash
random documents to find two that hash to the same
value, not enough for lasting security
• NIST, in its Secure Hash Standard (SHS), uses a 160-bit
hash value. This makes the birthday attack even harder,
requiring random hashes.
7. Overview
Mi
hi
hi- 1
• One-way hash functions are built on the idea of a
compression function
• The inputs to the compression function are a message
block and the output of the previous blocks of text.
One Way
Function
8. • The output is the hash of all blocks up to that point. That
is, the hash of block Mi is
hi = f(Mi , hi- 1)
• The hash of the entire message is the hash of the last
block
• The pre-image should contain some kind of binary
representation of the length of the entire message.
• This technique overcomes a potential security problem
resulting from messages with different lengths possibly
hashing to the same value. This technique is sometimes
called MD-strengthening
9. Snefru
Snefru is a one-way hash function designed by Ralph
Merkle. (Snefru, like Khufu and Khafre, was an
Egyptian pharaoh.)
Snefru hashes arbitrary-length messages into either
128-bit or 256-bit values.
The heart of the algorithm is function H, which hashes
a 512-bit value into an m-bit value.
11. First the message is broken into chunks, each 512-m in
length. (The variable m is the length of the hash value.)
If the output is a 128-bit hash value, then the chunks are each
384 bits long; if the output is a 256-bit hash value, then the
chunks are each 256 bits long.
The heart of the algorithm is function H, which hashes a 512-
bit value into an m-bit value.
The first m bits of H’s output are the hash of the block; the
rest are discarded. The next block is appended to the hash of
the previous block and hashed again.
After the last block (if the message isn’t an integer
number of blocks long, zeros are used to pad the last
block), the first m bits are appended to a binary
representation of the length of the message and hashed
one final time.
12. Function H is based on E, which is a reversible block-
cipher function that operates on 512-bit blocks. H is the
last m bits of the output of E XORed with the first m bits of
the input of E.
The security of Snefru resides in function E, which
randomizes data in several passes.
Each pass is composed of 64 randomizing rounds. In each
round a different byte of the data is used as an input to an
S-box.
The output word of the S-box is XORed with two
neighboring words of the message.
13. Cryptanalysis of Snefru
Using differential cryptanalysis, Biham and Shamir
demonstrated the insecurity of two-pass Snefru (128-
bit hash value) Their attack finds pairs of messages
that hash to the same value within minutes.
On 128-bit Snefru, their attacks work better than brute
force for four passes or less.
Although Biham and Shamir didn’t analyze 256-bit
hash values, they extended their analysis to 224-bit
hash values.
14. N-Hash
N-Hash is an algorithm invented by researchers
at Nippon Telephone and Telegraph
N-Hash uses 128-bit message blocks, a
complicated randomizing function similar to
FEAL’s, and produces a 128-bit hash value.
The hash of each 128-bit block is a function of the
block and the hash of the previous block.
15. N-Hash
EXG function swaps upper and
lower digits hi-1.
It is then XORed with a repeating
one/zero pattern (128 bits worth) V.
The result is successively fed to the
transforming function (PS) whose
second input is Vj with j ranging
from 1 to N.
The obtained result is then XORed
with Hi-1 and the Message Mi.
16. Single Processing Stage
The message block is broken into four 32-
bit values X.
The previous hash value is also broken into
four 32-bit values P.
The output of this block is calculated as
follows:
The final output of the equation is as
follows:
N-Hash
17. The f Function:
The function f operates on a 32 bit wordwhich is
represented by
The 32-bit word is broken into 4 parts of 8 bits each
First, the 32 bit X and P and XORed with each other
The function and are represented as follows
The final output of the function is as follows
A1
A2
A3(A2,Z3Z4)
The final output A is given by concatenating A1 to A4
N-Hash
18. Cryptanalysis of N- Hash
Bert den Boer discovered a way to produce collisions in the
round function of N-Hash
Biham and Shamir used differential cryptanalysis to break 6-
round N-Hash.
Their particular attack works for any N that is divisible by 3,
and is more efficient than the birthday attack for any N less
than 15.
The same attack can find pairs of messages that hash to the
same value for 12-round N-Hash in 256
operations,
N-hash with 15 rounds is safe from differential cryptanalysis:
The attack requires 272
operations.
N-Hash
19. MD-4
MD4 is a one-way hash function designed by Ron Rivest. MD stands for
Message Digest; the algorithm produces a 128-bit hash, or message
digest, of the input message
Rivest’s outlined the following goals of his algorithm:
Security. It is computationally infeasible to find two messages that hashed
to the same value.
Direct Security. MD4’s security is not based on any assumption, like the
difficulty of factoring
Speed. MD4 is suitable for high-speed software implementations.
Simplicity and Compactness. MD4 is as simple as possible, without large
data structures or a complicated program
Favor Little-Endian Architectures. MD4 is optimized for microprocessor
architectures (specifically Intel microprocessors); larger and faster
computers make any necessary translations
20. MD-4:Cryptanalysis
Bert den Boer and Antoon Bosselaers
successfully cryptanalyzed the last two of the
algorithm’s three rounds
Ralph Merkle successfully attacked the first two
rounds
Eli Biham discussed a differential cryptanalysis
attack against the first two rounds of MD4
These attacks could not be extended to the full
algorithm.
