Chapter 11 & 12

Message Integrity
&
Message Authentication
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

11.1
 Chapter 11
Objectives
❏ To define message integrity
❏ To define message authentication
❏ To define criteria for a cryptographic hash
function
To introduce general ideas behind cryptographic
hash functions
 To discuss the Merkle-Damgard scheme as the basis
for iterated hash functions
 To distinguish between two categories of hash
functions
11.2
 11­1   MESSAGE INTEGRITY

The cryptography systems that we have studied so far

provide secrecy, or confidentiality, but not integrity.
However, there are occasions where we may not even
need secrecy but instead must have integrity.

Topics discussed in this section:

11.1 Document and Fingerprint
11.2 Message and Message Digest
11.3 Difference
11.4 Checking Integrity
11.5 Cryptographic Hash Function Criteria
11.3
 11.1.1 Document and Fingerprint

One way to preserve the integrity of a document is

through the use of a fingerprint. If Alice needs to be sure
that the contents of her document will not be changed,
she can put her fingerprint at the bottom of the document.

11.4
 11.1.2 Message and Message Digest

The electronic equivalent of the document and fingerprint

pair is the message and digest pair.

Figure 11.1 Message and digest

11.5
 11.1.3 Difference

The two pairs (document / fingerprint) and (message /

message digest) are similar, with some differences. The
document and fingerprint are physically linked together.
The message and message digest can be unlinked
separately, and, most importantly, the message digest
needs to be safe from change.

Note
The message digest needs to be safe from change.

11.6
 11.1.4 Checking Integrity

Figure 11.2 Checking integrity

11.7
 11.1.5 Cryptographic Hash Function Criteria

A cryptographic hash function must satisfy three criteria:

preimage resistance, second preimage resistance, and
collision resistance.

Figure 11.3 Criteria of a cryptographic hash function

11.8
 11.1.5 Continued

Preimage Resistance

Figure 11.4 Preimage

11.9
 11.1.5 Continued

Example 11.1
Can we use a conventional lossless compression method such as
StuffIt as a cryptographic hash function?

Solution
We cannot. A lossless compression method creates a compressed
message that is reversible.

Example 11.2
Can we use a checksum function as a cryptographic hash
function?
Solution
We cannot. A checksum function is not preimage resistant, Eve
may find several messages whose checksum matches the given
one.
11.10
 11.1.5 Continued
Second Preimage Resistance

Figure 11.5 Second preimage

11.11
 11.1.5 Continued

Collision Resistance

Figure 11.6 Collision

11.12
 11.2.2 Birthday Problems
Figure 11.7 Four birthday problems

11.13
 11.2.2 Continued

Summary of Solutions
Solutions to these problems are given in Appendix E for
interested readers; The results are summarized in Table
11.3.

11.14
 11.2.3 Continued

Summary of Attacks
Table 11.4 shows the level of difficulty for each attack if the digest
is n bits.

11.15
 12­1   INTRODUCTION

A cryptographic hash function takes a

message of arbitrary length and creates
a message digest of fixed length. The
ultimate goal of this chapter is to discuss
the details of the two most promising
cryptographic hash algorithms SHA-
512 and Whirlpool.

Topics discussed in this section:

12.1.1 Iterated Hash Function
12.1.2 Two Groups of Compression Functions

12.16
 Iterated hash function
 Creating a fixed size digest out of a variable
size message
 Creation of such function is achieved through
iteration
 Uses fixed size input function [Compression
function] , is used necessary number of
times
 Compression function compresses n-bit
string to a m-bit string where n>m

11.17
 12.1.1 Iterated Hash Function

Merkle-Damgard Scheme

Figure 12.1 Merkle-Damgard scheme

12.18
 12.1.2 Continued

12.19
 12­2   SHA­512
SHA-512 is the version of SHA with a
512-bit message digest. This version, like
the others in the SHA family of
algorithms, is based on the Merkle-
Damgard scheme.

Topics discussed in this section:

12.2.1 Introduction
12.2.2 Compression Function
12.2.3 Analysis
12.20
 12.2.1 Introduction

Figure 12.6 Message digest creation SHA-512

12.21
 12.2.1 Continued

Message Preparation
SHA-512 insists that the length of the
original message be less than 2128 bits.

Note
SHA-512 creates a 512-bit message
digest out of a message less than 2 128.

12.22
 12.2.1 Continued

Example 12.1
This example shows that the message length limitation of
SHA-512 is not a serious problem. Suppose we need to
send a message that is 2128 bits in length. How long does it
take for a communications network with a data rate of 264
bits per second to send this message?

Solution
A communications network that can send 264 [264
=18446744073709551616] bits per second is not yet
available. Even if it were, it would take many years to send
this message. This tells us that we do not need to worry
about the SHA-512 message length restriction.
12.23
 12.2.1 Continued

Example 12.2
This example also concerns the message length in SHA-
512. How many pages are occupied by a message of 2128
bits?

Solution
Suppose that a character is 32, or 26, bits. Each page is less
than 2048, or approximately 212, characters. So 2128 bits
need at least 2128 / 218, or 2110, pages. This again shows that
we need not worry about the message length restriction.

12.24
 12.2.1 Continued

Figure 12.7 Padding and length field in SHA-512

12.25
 12.2.1 Continued

Example 12.3
What is the number of padding bits if the length of the
original message is 2590 bits?

Solution
We can calculate the number of padding bits as follows:

The padding consists of one 1 followed by 353 0’s.

12.26
 12.2.1 Continued

Example 12.4
Do we need padding if the length of the original message is
already a multiple of 1024 bits?

Solution
Yes we do, because we need to add the length field. So
padding is needed to make the new block a multiple of 1024
bits.

12.27
 12.2.1 Continued

Example 12.5
What is the minimum and maximum number of padding
bits that can be added to a message?

Solution
a. The minimum length of padding is 0 and it happens
when
(−M − 128) mod 1024 is 0. This means that |M| = −128
mod 1024 = 896 mod 1024 bits. In other words, the last
block in the original message is 896 bits. We add a 128-
bit length field to make the block complete.

12.28
 12.2.1 Continued

Example 12.5 Continued

b) The maximum length of padding is 1023 and it happens
when (−|M| −128) = 1023 mod 1024. This means that the
length of the original message is |M| = (−128 −1023) mod
1024 or the length is |M| = 897 mod 1024. In this case,
we cannot just add the length field because the length
of the last block exceeds one bit more than 1024. So we
need to add 897 bits to complete this block and create a
second block of 896 bits. Now the length can be added
to make this block complete.

12.29
 12.2.1 Continued

Words

Figure 12.8 A message block and the digest as words

12.30
 12.2.1 Continued

Word Expansion
Figure 12.9 Word expansion in SHA-512

12.31
 12.2.1 Continued

Example 12.6

Show how W60 is made.

Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as

12.32
 12.2.1 Continued

Message Digest Initialization

12.33
 12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512

12.34
 12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512

12.35
 12.2.2 Continued

Majority
Function

Conditional
Function

Rotate
Functions

12.36
 12.2.2 Continued

12.37
 12.2.2 Continued

There are 80 constants, K0 to K79, each of 64

bits. Similar These values are calculated
from the first 80 prime numbers (2, 3,…,
409). For example, the 80th prime is 409,
with the cubic root (409)1/3 = 7.42291412044.
Converting this number to binary with only
64 bits in the fraction part, we get

The fraction part:

(6C44198C4A475817)16

12.38
 12.2.2 Continued

Example 12.7
We apply the Majority function on buffers A, B, and C. If the
leftmost hexadecimal digits of these buffers are 0x7, 0xA,
and 0xE, respectively, what is the leftmost digit of the
result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.

The result is 1110, or 0xE in hexadecimal.

12.39
 12.2.2 Continued

Example 12.8
We apply the Conditional function on E, F, and G buffers. If
the leftmost hexadecimal digits of these buffers are 0x9,
0xA, and 0xF respectively, what is the leftmost digit of the
result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F 1, which is 1.
b. The second bits are 0, 0, and 1. The result is G 2, which is
1.
c. The third bits are 0, 1, and 1. The result is G 3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F 4, which is 0.

The result is 1110, or 0xE in hexadecimal.

12.40
 12.2.3 Analysis

With a message digest of 512 bits, SHA-512

expected to be resistant to all attacks,
including collision attacks.

12.41