ebook img

HAVAL — A One-Way Hashing Algorithm with Variable Length of Output (Extended Abstract) PDF

19 Pages·1993·0.2 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview HAVAL — A One-Way Hashing Algorithm with Variable Length of Output (Extended Abstract)

Appeared in “Advances in Cryptology — AUSCRYPT’92,” Lecture Notes in Computer Science, Vol.718, pp.83-104, Springer-Verlag, 1993. HAVAL — A One-Way Hashing Algorithm with Variable Length of Output (Extended Abstract) Yuliang Zheng ?, Josef Pieprzyk ?? and Jennifer Seberry ??? Department of Computer Science University of Wollongong, Wollongong, NSW 2522, Australia E-mail: {yuliang, josef, jennie}@cs.uow.edu.au Abstract. A one-way hashing algorithm is a deterministic algorithm thatcompressesanarbitrarylongmessageintoavalueofspecifiedlength. The output value represents the digest or fingerprint of the message. A cryptographicallyusefulpropertyofaone-wayhashingalgorithmisthat it is infeasible to find two distinct messages that have the same digest. Thispaperproposesaone-wayhashingalgorithmcalledHAVAL.HAVAL compresses a message of arbitrary length into a digest of 128, 160, 192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the numberofpassesamessageblock(of1024bits)isprocessed.Amessage block can be processed in 3, 4 or 5 passes. By combining output length with pass, we can provide fifteen (15) choices for practical applications where different levels of security are required. The algorithm is very efficientandparticularlysuitedfor32-bitcomputerswhichpredominate the current workstation market. Experiments show that HAVAL is 60% fasterthanMD5when3passesarerequired,15%fasterthanMD5when 4passesarerequired,andasfastasMD5whenfull5passesarerequired. Itisconjecturedthatfindingtwocollisionmessagesrequirestheorderof 2n/2 operations, where n is the number of bits in a digest. 1 Introduction A one-way hashing algorithm is a deterministic algorithm that compresses an arbitrarily long message into a value of specified length. The output value rep- resents the digest or fingerprint of the input message. A very useful prop- erty of a one-way hashing algorithm is that it is collision intractable, i.e., it ? Supported in part by the Australian Research Council under the reference number A49232172. ?? Supported in part by the Australian Research Council under the reference number A49131885. ??? Supported in part by the Australian Research Council under the reference numbers A49130102, A9030136, A49131885 and A49232172. is computationally infeasible to find a pair of messages that have the same digest. One-way hashing algorithms are widely used in information authenti- cation, in particular, in digital signature, and have received extensive research since the invention of public key cryptography by Diffie and Hellman[DH76] and by Merkle[Mer78]. Theoretical results on one-way hashing algorithms were obtained by Damg˚ard[Dam87, Dam90]. Results on a weaker version of one- way hashing algorithms, universal one-way hashing algorithms, can be found in[NY89, ZMI91, Rom90]. Recently much progress has been made in the design of practical one-way hashing algorithms which are suited for efficient implementation by software. Notable work includes the MD family which consists of three algorithms MD2, MD4andMD5[Kal92,Riv92a,Riv92b],thefederalinformationprocessingstan- dardforsecurehash(SHS)proposedbytheNationalInstituteofStandardsand Technology (NIST) of the United States[NIS92], and Schnorr’s hashing algo- rithmFFT-HashbasedonfastFouriertransformations[Sch92,Vau92].Allthese algorithmsoutputdigestsoffixedlength.Inparticular,digestsofFFT-Hashand the algorithms in the MD family are of 128 bits, while digests of SHS are of 160 bits which is designed primarily for NIST’s proposed digital signature standard DSS[NIS91]. Despite the progress, little work has been done in the design of one-way hashing algorithms that can output digests of variable length. Such an algo- rithm would be more flexible and hence more suited for various applications where variable length digests are required. The aim of this research is to de- sign a one-way hashing algorithm that can output digests of 128, 160, 192, 224 or 256 bits. These different lengths for digests provide practical applications with a broad spectrum of choices. The algorithm, which we call HAVAL, uses some of the principles behind the design of the MD family. In addition, HAVAL makes an elegant use of Boolean functions recently discovered by Seberry and Zhang[SZ92]. These functions have nice properties which include 1. they are 0-1 balanced, 2. they are highly non-linear, 3. they satisfy the Strict Avalanche Criterion (SAC), 4. they can not be transformed into one another by applying linear transfor- mation to the input coordinates and 5. they are not mutually correlated via linear functions or via bias in output. In addition, the number of passes each 1024-bit block of an input message is processed can be 3, 4 or 5. This adds one more dimension of flexibility to the algorithm.Combinationofthetwovariableparameters,passandoutputlength, provides practical applications with fifteen different levels of security. When compared with MD2, MD4, SHS and FFT-Hash, MD5 is considered much superior in terms of speed and security. In particular, MD5 is about 15% fasterthanSHS(Seeforexamplethenotepostedonthesci.cryptnewsgroup by Kevin McCurley, 5 September 1992), although the latter is very likely to become a standard. Our preliminary experiments show that HAVAL is at least 60% faster than MD5 when 3 passes are required, at least 15% faster than MD5 when 4 passes are required, and about as fast as MD5 when full 5 passes are required. Detailed specifications of HAVAL are presented in Section2. Section3 dis- cusses rationale behind the design of HAVAL. This is followed by a discussion about security issues of HAVAL in Section4. Extensions of HAVAL in several directionsarediscussedinSection5.Finally,Section6presentssomeconcluding remarks. 2 Specifications of HAVAL We begin with a general description of the algorithm. Detailed specifications of all parts of the algorithm follows. Firstweintroduceafewnotationsandconventions.Weconsider,unlessoth- erwisespecified,strings(orsequences)onGF(2).Throughoutthepaper,asingle bit from GF(2) will be denoted by a lower case letter, while a string of bits on GF(2)willbedenotedbyauppercaseletter.Abyte isastringof8bits,aword isastringof4bytes(32bits)andablock istheconcatenationof32words(1024 bits). We assume that the most significant bit of a byte appears at the left end of the byte. Similarly we assume that the most significant byte of a word comes at the left end of the word, and the most significant word of a block appears at the left end of the block. Note that a binary string X =x x ···x can be n−1 n−2 0 viewedasanintegerwhosevalueisI =x 2n−1+x 2n−2+···+x 20.Con- X n−1 n−2 0 versely an integer I can also be viewed as a binary string X =x x ···x I n−1 n−2 0 with I =x 2n−1+x 2n−2+···+x 20. n−1 n−2 0 The modulo 2 multiplication and modulo 2 addition of x ,x ∈ GF(2) are 1 2 denotedbyx x andx ⊕x respectively.Thebit-wisemodulo2additionopera- 1 2 1 2 tionoftwobinarystringsS andS ofthesamelengthisdenotedbyS ⊕S ,and 1 2 1 2 the bit-wise modulo 2 multiplication of the two strings S and S is denoted by 1 2 S •S .Notethat•hasprecedenceover⊕incomputation.Anothernotation 1 2 + is also used in the specifications. Assume that S =W W ···W and 1 1,n−1 1,n−2 1,0 S =W W ···W ,whereeachW isa32-bitword,theword-wisein- 2 2,n−1 2,n−2 2,0 i,j tegeradditionmodulo232ofthetwostringsisdenotedbyS S ,i.e.,S S = 1 + 2 1 + 2 (W +W mod232)(W +W mod232)···(W +W mod232). 1,n−1 2,n−1 1,n−2 2,n−2 1,0 2,0 Note that in the definition of we have viewed each W as an integer in + i,j [0,232−1]. Given a message M to be compressed, HAVAL pads (extends) M first. The length of (i.e., the number of bits in) the message after padding is a multiple of 1024, and padding is always applied even when the length of M is already a multiple of 1024. The last block of the padded message contains the number of bits in the unpadded message, the required number of bits in the digest and the number of passes each message block is processed. It also indicates the version number of HAVAL. The current version number is 1. Now suppose that the padded message is B B ···B , where each B n−1 n−2 0 i is a 1024-bit block. HAVAL starts from the block B and a 8-word (256-bit) 0 constant string D =D D ···D , which is taken from the fraction part of 0 0,7 0,6 0,0 π = 3.1415..., and processes the message B B ···B in a block-by-block n−1 n−2 0 way. More precisely, it compresses the message by repeatedly calculating D =H(D ,B ) i+1 i i whereirangesfrom0ton−1andH iscalledtheupdatingalgorithmofHAVAL. See Section2.4 for the actual values of the 8 constant 32-bit words D , D , 0,7 0,6 ···, D . 0,0 Finally, HAVAL adjusts, if necessary, the last 256-bit string D into a string n of the length specified in the last block B , and outputs the adjusted string n−1 as the digest of the message M. In summary, HAVAL processes a message M in the following three steps: 1. Pad the message M so that its length becomes a multiple of 1024. The last (or the most significant) block of the padded message indicates the length of the original (unpadded) message M, the required length of the digest of M, the number of passes each block is processed and the version number of HAVAL. 2. Calculate repeatedly D =H(D ,B ) for i from 0 to n−1, where D is a i+1 i i 0 8-word (256-bit) constant string and n is the total number of blocks in the padded message. 3. Adjust the 256-bit value D obtained in the above calculation according to n the digest length specified in the last block B , and output the adjusted n−1 value as the digest of the message M. These three steps are described in more detail in the following sections. 2.1 Padding Thepurposeofpaddingistwo-fold:tomakethelengthofamessagebeamultiple of 1024 and to let the message indicate the length of the original message, the required number of bits in the digest, the number of passes and the version number of HAVAL. HAVAL uses a 64-bit field MSGLENG to specify the length of an unpadded message. Thus messages of up to (264 −1) bits are accepted, which is long enough for practical applications. HAVAL also uses a 10-bit field DGSTLENG to specify the required number of bits in a digest. In addition HAVAL uses a 3-bit field PASS to specify the number of passes each message block is processed, and another 3-bit field VERSION to indicate the version numberofHAVAL.Thenumberofbitsinadigestcanbe128,160,192,224and 256, while the number of passes can be 3, 4 and 5. The current version number of HAVAL is 1. HAVAL pads a message by appending a single bit 1 next to the most sig- nificant bit of the message, followed by zero or more bit 0s until the length of the (new) message is 944 modulo 1024. Then, HAVAL appends to the mes- sage the 3-bit field VERSION, followed by the 3-bit field PASS, the 10-bit field DGSTLENG and the 64-bit field MSGLENG. 2.2 The Updating Algorithm H TheupdatingalgorithmH processesablockin3,4or5passes,whichisspecified by the 3-bit field PASS in the last block. Denote by H , H , H , H and H the 1 2 3 4 5 five passes. Now suppose that the input to H is (D ,B), here D is a 8-word in in string and B is a 32-word (1024-bit) block. Let D denote the 8-word output out of H on input (D ,B). Then processing of H can be described in th following in way. E =D ; 0 in E =H (E ,B); 1 1 0 E =H (E ,B); 2 2 1 E =H (E ,B); 3 3 2 E =H (E ,B); (if PASS=4, 5) 4 4 3 E =H (E ,B); (if PASS=5) 5 5 4  E E if PASS=3  3 + 0 D = E E if PASS=4 out 4 + 0 E E if PASS=5 5 + 0 Each of the five passes H , H , H , H and H has 32 rounds of operations 1 2 3 4 5 and each round processes a different word from B. The orders in which the wordsinB areprocesseddifferfrompasstopass.Inaddition,eachpassemploys a different Boolean function to perform bit-wise operations on words. The five functions employed by H , H , H , H and H are: 1 2 3 4 5 f (x ,x ,x ,x ,x ,x ,x )=x x ⊕x x ⊕x x ⊕x x ⊕x 1 6 5 4 3 2 1 0 1 4 2 5 3 6 0 1 0 f (x ,x ,x ,x ,x ,x ,x )=x x x ⊕x x x ⊕x x ⊕x x ⊕ 2 6 5 4 3 2 1 0 1 2 3 2 4 5 1 2 1 4 x x ⊕x x ⊕x x ⊕x x ⊕x 2 6 3 5 4 5 0 2 0 f (x ,x ,x ,x ,x ,x ,x )=x x x ⊕x x ⊕x x ⊕x x ⊕x x ⊕x 3 6 5 4 3 2 1 0 1 2 3 1 4 2 5 3 6 0 3 0 f (x ,x ,x ,x ,x ,x ,x )=x x x ⊕x x x ⊕x x x ⊕ 4 6 5 4 3 2 1 0 1 2 3 2 4 5 3 4 6 x x ⊕x x ⊕x x ⊕x x ⊕ 1 4 2 6 3 4 3 5 x x ⊕x x ⊕x x ⊕x x ⊕x 3 6 4 5 4 6 0 4 0 f (x ,x ,x ,x ,x ,x ,x )=x x ⊕x x ⊕x x ⊕x x x x ⊕x x ⊕x 5 6 5 4 3 2 1 0 1 4 2 5 3 6 0 1 2 3 0 5 0 ThesefiveBooleanfunctionshaveverynicepropertieswhentheircoordinates are permuted. This will be stated in Section3 together with rationale behind thedesignofthefunctions.ThefivepassesH ,H ,H ,H andH arespecified 1 2 3 4 5 in more detail in the following sections. Pass 1 Assume that the input to H is (E ,B), where E consists of 8 words 1 0 0 E ,E ,···,E andB of32wordsW ,W ,···,W .H processestheblock 0,7 0,6 0,0 31 30 0 1 B in a word-by-word way and transforms the input into a 8-word output E = 1 Original 0 1 2 3 4 5 6 7 8 9 101112131415 (H ) 16171819202122232425262728293031 1 ord 5 1426181128 7 16 0 232022 1 10 4 8 2 (H ) 30 3 21 9 172429 6 19121513 2 253127 2 ord 19 9 4 202817 8 222914251224301626 3 (H ) 3115 7 3 1 0 182713 6 21102311 5 2 3 ord 24 4 0 14 2 7 282326 6 3020182519 3 4 (H ) 22113121 8 2712 9 1 29 5 1517101613 4 ord 27 3 21261711202919 0 12 7 13 8 3110 5 (H ) 5 9 143018 6 2824 2 231622 4 1 2515 5 Table 1. Word Processing Orders permutations x x x x x x x 6 5 4 3 2 1 0 ↓ ↓ ↓ ↓ ↓ ↓ ↓ φ x x x x x x x 3,1 1 0 3 5 6 2 4 φ x x x x x x x 3,2 4 2 1 0 5 3 6 φ x x x x x x x 3,3 6 1 2 3 4 5 0 φ x x x x x x x 4,1 2 6 1 4 5 3 0 φ x x x x x x x 4,2 3 5 2 0 1 6 4 φ x x x x x x x 4,3 1 4 3 6 0 2 5 φ x x x x x x x 4,4 6 4 0 5 2 1 3 φ x x x x x x x 5,1 3 4 1 0 5 2 6 φ x x x x x x x 5,2 6 2 1 0 3 4 5 φ x x x x x x x 5,3 2 6 0 4 3 1 5 φ x x x x x x x 5,4 1 5 3 2 0 4 6 φ x x x x x x x 5,5 2 5 0 6 4 3 1 Table 2. Permutations on Coordinates → E E ···E . Denote by ROT(X,s) the s position rotate right operation on 1,7 1,6 1,0 a word X and by f◦g the composition of two functions f and g (g is evaluated first). Then H can be described in the following way. 1 1. Let T0,i =E0,i, 0<=i<=7. 2. Repeat the following steps for i from 0 to 31:  F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=3  1 3,1 i,6 i,5 i,4 i,3 i,2 i,1 i,0 P = F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=4 1 4,1 i,6 i,5 i,4 i,3 i,2 i,1 i,0 F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=5 1 5,1 i,6 i,5 i,4 i,3 i,2 i,1 i,0 → → R=ROT(P,7) ROT(T ,11) W ; + i,7 + i T =T ; T =T ; T =T ; T =T ; i+1,7 i,6 i+1,6 i,5 i+1,5 i,4 i+1,4 i,3 T =T ; T =T ; T =T ; T =R. i+1,3 i,2 i+1,2 i,1 i+1,1 i,0 i+1,0 3. Let E1,i =T32,i, 0<=i<=7, and output E1 =E1,7E1,6···E1,0. Note that the input to the i-th round (T ,T ,T ,T ,T ,T ,T ) is i,6 i,5 i,4 i,3 i,2 i,1 i,0 permutedaccordingtoφ (whenPASS=3),φ (whenPASS=4)orφ (when 3,1 4,1 5,1 PASS=5) before being passed to F . Here φ , φ and φ are permutations 1 3,1 4,1 5,1 on coordinates specified in Table2, where permutations employed by the other fourpassesarealsospecified.F performsbit-wiseoperationsonitsinputwords 1 according to the Boolean function f specified in Section2.2. 1 F (X ,X ,X ,X ,X ,X ,X )= 1 6 5 4 3 2 1 0 X •X ⊕X •X ⊕X •X ⊕X •X ⊕X 1 4 2 5 3 6 0 1 0 The result of F is rotated and added (modulo 232) to the rotated version of 1 T . The i-th word W in B is also added to the rotated version of T . The i,7 i i,7 sum is used to substitute (the old) T . After the substitution, the 8 words i,7 T ,T ,···,T are shifted with T being replaced by T , T by T , ..., i,7 i,6 i,0 i,7 i,6 i,6 i,5 T byT ,andT byT .Thesewordsarethenusedasinputtothe(i+1)-th i,1 i,0 i,0 i,7 round. Finally, T is output as a result. 32 Pass 2 Assume that the input to H is (E ,B). H processes the words in B 2 1 2 according to the word processing order ord specified in Table1. It employs in 2 its computation 32 constant words K ,K ,···,K , all of which are taken 2,31 2,30 2,0 fromthefractionpartofπ.Theactualvaluesoftheseconstantwordsaredefined in Section2.4. H processes the words as follows: 2 1. Let T0,i =E1,i, 0<=i<=7. 2. Repeat the following steps for i from 0 to 31:  F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=3  2 3,2 i,6 i,5 i,4 i,3 i,2 i,1 i,0 P = F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=4 2 4,2 i,6 i,5 i,4 i,3 i,2 i,1 i,0 F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=5 2 5,2 i,6 i,5 i,4 i,3 i,2 i,1 i,0 → → R=ROT(P,7) ROT(T ,11) W K ; + i,7 + ord2(i) + 2,i T =T ; T =T ; T =T ; T =T ; i+1,7 i,6 i+1,6 i,5 i+1,5 i,4 i+1,4 i,3 T =T ; T =T ; T =T ; T =R. i+1,3 i,2 i+1,2 i,1 i+1,1 i,0 i+1,0 3. Let E2,i =T32,i, 0<=i<=7, and output E2 =E2,7E2,6···E2,0. Similar to H , (T ,T ,T ,T ,T ,T ,T ) is permuted according to 1 i,6 i,5 i,4 i,3 i,2 i,1 i,0 φ ,φ orφ beforebeingpassedtoF ,whereφ ,φ andφ arespecified 3,2 4,2 5,2 2 3,2 4,2 5,2 in Table2. F performs bit-wise operations on its 7 input words according to 2 the Boolean function f : 2 F (X ,X ,X ,X ,X ,X ,X )= 2 6 5 4 3 2 1 0 X •X •X ⊕X •X •X ⊕ 1 2 3 2 4 5 X •X ⊕X •X ⊕X •X ⊕X •X ⊕X •X ⊕X •X ⊕X 1 2 1 4 2 6 3 5 4 5 0 2 0 The output value of F is rotated and added to the rotated version of T . The 2 i,7 i-th word W is also added to the rotated version of T . In addition, a ord2(i) i,7 constant K which is unique to i is added to the rotated version of T . As in 2,i i,7 H , the 8 words are shifted before proceeding to the next round of operations. 1 The output of H is the result of the last round. 2 Pass 3 The input to H is (E ,B). H processes the words in the block B 3 2 3 according to the word processing order for ord specified in Table1. H also 3 3 employs 32 constant words K ,K ,···,K , all of which are taken from 3,31 3,30 3,0 the fraction part of π. 1. Let T0,i =E2,i, 0<=i<=7. 2. Repeat the following steps for i from 0 to 31:  F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=3  3 3,3 i,6 i,5 i,4 i,3 i,2 i,1 i,0 P = F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=4 3 4,3 i,6 i,5 i,4 i,3 i,2 i,1 i,0 F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=5 3 5,3 i,6 i,5 i,4 i,3 i,2 i,1 i,0 → → R=ROT(P,7) ROT(T ,11) W K ; + i,7 + ord3(i) + 3,i T =T ; T =T ; T =T ; T =T ; i+1,7 i,6 i+1,6 i,5 i+1,5 i,4 i+1,4 i,3 T =T ; T =T ; T =T ; T =R. i+1,3 i,2 i+1,2 i,1 i+1,1 i,0 i+1,0 3. Let E3,i =T32,i, 0<=i<=7, and output E3 =E3,7E3,6···E3,0. F performs bit-wise operations according to the Boolean function f : 3 3 F (X ,X ,X ,X ,X ,X ,X )= 3 6 5 4 3 2 1 0 X •X •X ⊕X •X ⊕X •X ⊕X •X ⊕X •X ⊕X 1 2 3 1 4 2 5 3 6 0 3 0 Pass 4 Thispassisexecutedonlywhenfourorfivepassesarerequired.Thein- puttoH is(E ,B).TheorderinwhichthewordsintheblockBareprocessedis 4 3 specifiedbyord inTable1.32constantwords,denotedbyK ,K ,···,K , 4 4,31 4,30 4,0 are employed by H . These constants are unique to H and all taken from the 4 4 fraction part of π. 1. Let T0,i =E3,i, 0<=i<=7. 2. Repeat the following steps for i from 0 to 31: (cid:26) F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=4 P = 4 4,4 i,6 i,5 i,4 i,3 i,2 i,1 i,0 F ◦φ (T ,T ,T ,T ,T ,T ,T )if PASS=5 4 5,4 i,6 i,5 i,4 i,3 i,2 i,1 i,0 → → R=ROT(P,7) ROT(T ,11) W K ; + i,7 + ord4(i) + 4,i T =T ; T =T ; T =T ; T =T ; i+1,7 i,6 i+1,6 i,5 i+1,5 i,4 i+1,4 i,3 T =T ; T =T ; T =T ; T =R. i+1,3 i,2 i+1,2 i,1 i+1,1 i,0 i+1,0 3. Let E4,i =T32,i, 0<=i<=7, and output E4 =E4,7E4,6···E4,0. F performs bit-wise operations on its input words according to the Boolean 4 function f : 4 F (X ,X ,X ,X ,X ,X ,X )= 4 6 5 4 3 2 1 0 X •X •X ⊕X •X •X ⊕X •X •X ⊕ 1 2 3 2 4 5 3 4 6 X •X ⊕X •X ⊕X •X ⊕X •X ⊕ 1 4 2 6 3 4 3 5 X •X ⊕X •X ⊕X •X ⊕X •X ⊕X 3 6 4 5 4 6 0 4 0 Pass 5 This pass is executed only when five passes are required. The input to H is (E ,B). The order in which the words in the block B are processed is 5 4 specifiedbyord inTable1.The32constantwordsemployedbyH aredenoted 5 5 by K ,K ,···,K . 5,31 5,30 5,0 1. Let T0,i =E4,i, 0<=i<=7. 2. Repeat the following steps for i from 0 to 31: P =F ◦φ (T ,T ,T ,T ,T ,T ,T ); 5 5,5 i,6 i,5 i,4 i,3 i,2 i,1 i,0 → → R=ROT(P,7) ROT(T ,11) W K ; + i,7 + ord5(i) + 5,i T =T ; T =T ; T =T ; T =T ; i+1,7 i,6 i+1,6 i,5 i+1,5 i,4 i+1,4 i,3 T =T ; T =T ; T =T ; T =R. i+1,3 i,2 i+1,2 i,1 i+1,1 i,0 i+1,0 3. Let E5,i =T32,i, 0<=i<=7, and output E5 =E5,7E5,6···E5,0. F performs bit-wise operations on its input words according to the Boolean 5 function f : 5 F (X ,X ,X ,X ,X ,X ,X )= 5 6 5 4 3 2 1 0 X •X ⊕X •X ⊕X •X ⊕X •X •X •X ⊕X •X ⊕X 1 4 2 5 3 6 0 1 2 3 0 5 0 2.3 Tailoring the Last Output of H Recall that the last string D = D D ···D output by H is of 256 bits. n n,7 n,6 n,0 D is used directly as the digest of M if a 256-bit digest is required. Otherwise, n D is tailored into a string of specified length. We discuss the four cases that n needadjustmenttoD .Thesefourcasesare(1)Case-1when128-bitdigestsare n required, (2) Case-2 when 160-bit digests are required, (3) Case-3 when 192-bit digests are required and (4) Case-4 when 224-bit digests are required. In the followingdiscussions,wewilluseasuperscripttoindicatethelengthofastring. For instance, if X is a t-bit string, we use X[t] to indicate explicitly the length of X. Case-1(128-bitdigest):WedivideD ,D ,D andD inthefollowing n,7 n,6 n,5 n,4 way D =X[8]X[8]X[8]X[8], n,7 7,3 7,2 7,1 7,0 D =X[8]X[8]X[8]X[8], n,6 6,3 6,2 6,1 6,0 D =X[8]X[8]X[8]X[8], n,5 5,3 5,2 5,1 5,0 D =X[8]X[8]X[8]X[8]. n,4 4,3 4,2 4,1 4,0 The 128-bit digest is Y Y Y Y , where 3 2 1 0 Y =D (X[8]X[8]X[8]X[8]), 3 n,3 + 7,3 6,2 5,1 4,0 Y =D (X[8]X[8]X[8]X[8]), 2 n,2 + 7,2 6,1 5,0 4,3 Y =D (X[8]X[8]X[8]X[8]), 1 n,1 + 7,1 6,0 5,3 4,2 Y =D (X[8]X[8]X[8]X[8]). 0 n,0 + 7,0 6,3 5,2 4,1 Case-2 (160-bit digest): We divide D , D and D in the following way n,7 n,6 n,5 D =X[7]X[6]X[7]X[6]X[6], n,7 7,4 7,3 7,2 7,1 7,0 D =X[7]X[6]X[7]X[6]X[6], n,6 6,4 6,3 6,2 6,1 6,0 D =X[7]X[6]X[7]X[6]X[6]. n,5 5,4 5,3 5,2 5,1 5,0 Then the 160-bit digest Y Y Y Y Y is obtained by computing 4 3 2 1 0 Y =D (X[7]X[6]X[7]), 4 n,4 + 7,4 6,3 5,2 Y =D (X[6]X[7]X[6]), 3 n,3 + 7,3 6,2 5,1 Y =D (X[7]X[6]X[6]), 2 n,2 + 7,2 6,1 5,0 Y =D (X[6]X[6]X[7]), 1 n,1 + 7,1 6,0 5,4 Y =D (X[6]X[7]X[6]). 0 n,0 + 7,0 6,4 5,3 Case-3 (192-bit digest): Divide D and D into n,7 n,6 D =X[6]X[5]X[5]X[6]X[5]X[5], n,7 7,5 7,4 7,3 7,2 7,1 7,0 D =X[6]X[5]X[5]X[6]X[5]X[5]. n,6 6,5 6,4 6,3 6,2 6,1 6,0 Let Y =D (X[6]X[5]), 5 n,5 + 7,5 6,4 Y =D (X[5]X[5]), 4 n,4 + 7,4 6,3 Y =D (X[5]X[6]), 3 n,3 + 7,3 6,2 Y =D (X[6]X[5]), 2 n,2 + 7,2 6,1 Y =D (X[5]X[5]), 1 n,1 + 7,1 6,0 Y =D (X[5]X[6]). 0 n,0 + 7,0 6,5 Output Y Y Y Y Y Y as the digest. 5 4 3 2 1 0 Case-4 (224-bit digest): We divide D into n,7 D =X[5]X[5]X[4]X[5]X[4]X[5]X[4]. n,7 7,6 7,5 7,4 7,3 7,2 7,1 7,0 The 224-bit digest is Y Y Y Y Y Y Y , where 6 5 4 3 2 1 0 Y =D X[4], 6 n,6 + 7,0 Y =D X[5], 5 n,5 + 7,1 Y =D X[4], 4 n,4 + 7,2 Y =D X[5], 3 n,3 + 7,3

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.