Hash and MAC Algorithms

Kalpesh M Patel

Hash and MAC Algorithms

Hash Functions
condense arbitrary size message to fixed size
by processing message in blocks
through some compression function
either custom or block cipher based

Message Authentication Code (MAC)

fixed sized authenticator for some message
to provide authentication for message
by using block cipher mode or hash function

Hash Algorithm Structure

Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993
was revised in 1995 as SHA-1
US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences
produces 160-bit hash values
recent 2005 results on security of SHA-1 have

raised concerns on its use in future applications

Revised Secure Hash

Standard

NIST issued revision FIPS 180-2 in 2002

adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512

designed for compatibility with increased

security provided by the AES cipher

structure & detail is similar to SHA-1
hence analysis should be similar
but security levels are rather higher

SHA-512 Logic
takes as input a message with a maximum length of

less than 2128 bits and produces as output a 512-bit

message digest
The input is processed in 1024-bit blocks
Step 1: Append padding bits
The message is padded so that its length is congruent
to 896 modulo 1024 [length 896 (mod 1024)]
Padding is always added, even if the message is
already of the desired length
the number of padding bits is in the range of 1 to 1024
The padding consists of a single 1-bit followed by the
necessary number of 0-bits

SHA-512 Logic
Step 2: Append length
A block of 128 bits is appended to the message
is treated as an unsigned 128-bit integer (most

significant byte first) and contains the length of the

original message (before the padding)
The outcome of the first two steps yields a message
that is an integer multiple of 1024 bits in length
the expanded message is represented as the
sequence of 1024-bit blocks M1, M2,..., MN, so that
the total length of the expanded message is N x
1024 bits.

SHA-512 Overview

SHA-512 Logic
Step 3: Initialize hash buffer
A 512-bit buffer is used to hold intermediate and final

results of the hash function

The buffer can be represented as eight 64-bit
registers (a, b, c, d, e, f, g, h)
These registers are initialized to the following 64-bit
integers (hexadecimal values):
a = 6A09E667F3BCC908 b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B c = A54FF53A5F1D36F1
e = 510E527FADE682D1 f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B h = 5BE0CDI9137E2179

SHA-512 Logic
Step 4: Process message in 1024-bit (128-

word) blocks
The heart of the algorithm is a module that
consists of 80 rounds
Each round takes as input the 512-bit buffer
value abcdefgh, and updates the contents of the
buffer
At input to the first round, the buffer has the
value of the intermediate hash value, H i-1
Each round t makes use of a 64-bit value W t
derived from the current 1024-bit block being
processed (Mi) These values are derived using a
message schedule described subsequently.

SHA-512 Logic
Each round also makes use of an additive constant K t

where 0 t 79 indicates one of the 80 rounds.

These words represent the first sixty-four bits of the
fractional parts of the cube roots of the first eighty prime
numbers.
The constants provide a "randomized" set of 64-bit
patterns, which should eliminate any regularities in the
input data.
The output of the eightieth round is added to the input to
the first round (Hi-1)to produce Hi.
The addition is done independently for each of the eight
words in the buffer with each of the corresponding words
in Hi-1 using addition modulo 264.

SHA-512 Logic
Step 5: Output
After all N 1024-bit blocks have been

processed, the output from the Nth stage is

the 512-bit message digest.
H0 = IV
Hi = SUM64(Hi-1, abcdefghi)
MD = HN

SHA-512 Logic
where IV = initial value of the abcdefgh

buffer, defined in step 3

Abcdefghi = the output of the last round of
processing of the ith message block
N = the number of blocks in the message
(including padding and length fields)
SUM64 = Addition modulo 264 performed
separately on each word of the pair of inputs
MD = final message digest value

SHA-512 Compression
Function
heart of the algorithm

processing message in 1024-bit blocks

consists of 80 rounds
updating a 512-bit buffer
using a 64-bit value Wt derived from the

current message block

and a round constant based on cube root of
first 80 prime numbers

SHA-512 Round Function

SHA-512 Round Function

=step number; 0 t 79

Ch(e, f, = (e AND f) (NOT e AND g) the

g)
conditional function: If e then f else g
Maj(a,
b, c)

= (a AND b) (a AND c) (b AND c) the

function is true only of the majority (two or
three) of the arguments are true.

SHA-512 Round Function

ROTRn(x) = circular right shift (rotation) of the 64bit argument x by n bits

Wt

= a 64-bit word derived from the current

512-bit input block

Kt

= a 64-bit additive constant

= addition modulo 264

SHA-512 Round Function

SHA-512 Round Function

It

remains to indicate how the 64-bit word values W t are derived from the 1024-bit message

The

first 16 values of Wt are taken directly from the 16 words of the current block

where

ROTRn(x) = circular right shift (rotation) of the 64-bit argument x by n bits

= left shift of the 64-bit argument x by n bits with padding by zeros on the right

SHRn(x)

Whirlpool
now examine the Whirlpool hash function
endorsed by European NESSIE project
uses modified AES internals as compression

function
addressing concerns on use of block
ciphers seen previously
with performance comparable to dedicated
algorithms like SHA

Whirlpool Overview

Whirlpool Block Cipher W

designed specifically for hash function use
with security and efficiency of AES
but with 512-bit block size and hence hash
similar structure & functions as AES but
input is mapped row wise
has 10 rounds
a different primitive polynomial for GF(2^8)
uses different S-box design & values

Whirlpool Block Cipher W

Whirlpool Performance &

Security
Whirlpool is a very new proposal
hence little experience with use
but many AES findings should apply
does seem to need more h/w than SHA, but

with better resulting performance

Keyed Hash Functions as

MACs

want a MAC based on a hash function

because hash functions are generally faster

code for crypto hash functions widely available

hash includes a key along with message

original proposal:

KeyedHash = Hash(Key|Message)
some weaknesses were found with this
eventually led to development of HMAC

HMAC
specified as Internet standard RFC2104
uses hash function on the message:
HMACK = Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size
and opad, ipad are specified padding

constants
overhead is just 3 more hash calculations
than the message needs alone
any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool

HMAC Overview

HMAC Security
proved security of HMAC relates to that of

the underlying hash algorithm

attacking HMAC requires either:

brute force attack on key used

birthday attack (but since keyed would need

to observe a very large number of messages)

choose hash function used based on speed

verses security constraints

CMAC
previously saw the DAA (CBC-MAC)
widely used in govt & industry
but has message size limitation
can overcome using 2 keys & padding
thus forming the Cipher-based Message

Authentication Code (CMAC)

adopted by NIST SP800-38B

CMAC Overview

Summary
have considered:
some current hash algorithms
SHA-512 & Whirlpool
HMAC authentication using hash function
CMAC authentication using a block cipher