Hash Functions

 condenses arbitrary message to fixed size

h = H(M)
 usually assume that the hash function is public and not
keyed
 cf. MAC which is keyed
 hash used to detect changes to message
 can use in various ways with message (Go through
Stallings Figure 11.5 a through f )
 most often to create a digital signature
Hash Functions & Digital Signatures

Go through Stallings Figure 11.5 a through f

(above only c is given)
Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• Preimage resistant (one-way property)
5. given x is infeasible to find y s.t. H(y)=H(x)
• Second preimage resistant (weak collision resistant)
6. is infeasible to find any x,y s.t. H(y)=H(x)
• Collision resistant (strong collision resistant)
Hash Functions Family
 MD (Message Digest)
 Designed by Ron Rivest
 Family: MD2, MD4, MD5
 SHA (Secure Hash Algorithm)
 Designed by NIST
 Family: SHA-0, SHA-1, and SHA-2
 SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
 SHA-3: New standard in competition
Both MD5 and SHA1 uses Merkle-Damgard
SHA-3 uses Sponge Construction
MD5, and SHA-1

7
MD2, MD4 and MD5
 Family of one-way hash functions by Ronald Rivest
 All produces 128 bits hash value
 MD2: 1989
 Optimized for 8-bit computer
 Collision found in 1995
 MD4: 1990
 Full round collision attack found in 1995
 MD5: 1992
 Specified as Internet standard in RFC 1321
 since 1997 it was theoretically not so hard to create a collision
 Practical Collision MD5 has been broken since 2004
 CA attack published in 2007
Message Digest 5 algorithm (MD 5 algorithm)
 This algorithm takes the input length of arbitrary length,
and 128-bit message digest is produced.
 Step 1: Append Padding Bits – The message is padded to
make the length of message as (448 mod 512).
 64 bits is padded with 448 bits and convert into multiple
of 512 bits.
 The padding message consists a single 1-bit followed by 0
bits. The length of padding bits is in between 1 to 512.
 Step 2: Append Length – The length of original message
is now calculated and appended to the end of the
padding as 64-bit block.
 Step 3: Initialize MD Buffer – A 128-bit buffer is used to
store the intermediate as well as final result. A buffer is
represented as four 32-bit registers as four 32-bit
registers as A, B, C, D. It is used an initial value (IV).
A = 01 23 45 67
B = 89 AB CD EF
C = FE DC BA 98
D = 76 54 32 10
 Step 4: Process Message in 512-bit blocks – It consists of
four rounds of processing. Each round takes input 512-bit
block, processed it and produces 128-bit output. The
output of fourth round is added to the first round (CVq to
produce CVq+1).

 Step 5: Output – After processing all L 512-bit blocks, the

128-bit message digest is produced as an output.
MD5 Overview
MD5 Overview

1. Append padding
bits
(to 448 mod 512)
MD5 Overview

2. Append
length (64bits)
MD5 Overview
3. Initialize MD buffer (4x32 bits Word)
Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10
Hash Algorithm Design – MD5

16 steps
16 steps
Single step
 32
The ith 32-bit word in matrix T, constructed from the sine function abs(sin(i + 1)) × 2

M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg

Single step
Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993
 revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised concerns
on its use in future applications
 Basic Structure of SHA-1
Against padding attacks

Split message into 512-bit blocks

160-bit buffer (5 registers) Compression function

initialized with magic values • Applied to each 512-bit block
and current 160-bit buffer
• This is the heart of SHA-1

slide 22
SHA-1 Compression Function
Current buffer (five 32-bit registers A,B,C,D,E)
Current message block

Four rounds, 20 steps in each

Let’s look at each step

in more detail…

Similar to a block cipher,

with message itself used
Fifth round adds the original
as the key for each round
buffer to the result of 4 rounds

Buffer contains final hash value

slide 23
One Step of SHA-1 (80 steps total)

A B C D E

Logic function for steps +

• (BC)(BD)
• BCD
0..19
20..39 ft
• (BC)(BD)(CD) 40..59
• BCD 60..79
5 bitwise +
left-rotate
Current message block mixed in
• For steps 0..15, W0..15=message block Wt
Multi-level shifting of message blocks
• For steps 16..79,
Wt=Wt-16Wt-14Wt-8Wt-3 +
30 bitwise Special constant added
left-rotate
(same value in each 20-step Kt
+
round,
4 different constants altogether)

A B C D E
slide 24
How Strong Is SHA-1?
 Every bit of output depends on every bit of
input
• Very important property for collision-resistance
 Brute-force inversion requires 2160 ops,
birthday attack on collision resistance
requires 280 ops
 Some weaknesses discovered in 2005
• Collisions can be found in 263 ops

slide 25
NIST Competition
 A public competition to develop a new
cryptographic hash algorithm
• Organized by NIST
 64 entries into the competition (Oct 2008)
 5 finalists in 3rd round (Dec 2010)
 Winner: Keccak (Oct 2012)
• Will be standardized as SHA-3

slide 26
Keyed Hash Functions as MACs
 want a MAC based on a hash function

because hash functions are generally faster

code for crypto hash functions widely
available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)

some weaknesses were found with this
 eventually led to development of HMAC
 HMAC
 specified as Internet standard RFC2104
 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
 where K+ is the key padded out to size
 and opad, ipad are specified padding constants
 overhead is just 3 more hash calculations than
the message needs alone
 any hash function can be used

eg. MD5, SHA-1, RIPEMD-160, Whirlpool
HMAC Overview