5a Hashintro e PDF

Faculty of Computing
Universiti Teknologi Malaysia

SCSR3443 Introduction to Cryptography
Semester 2, 13/14
Generating Digital Signatures
Suppose Bob wants to digitally sign a

"document," m. Bob simply uses his private
key, KPRB, to compute E(KPRB, m).
Public key encryption technology can be used to create a digital signature.

One concern with signing data by applying public key encryption is that encryption and
decryption are computationally expensive.
Many network devices and processes routinely exchange data that may not need to be encrypted.
Nonetheless, they do want to ensure that:
sender of the data is as claimed
transmitted data has not been changed since the sender created and signed the data.
Digital Hash
Hash is simply a "summary", or "tag", which is generated from a digital document using a
mathematical rule or algorithm.
Designed in such a way that a small change in the document would produce a big change in the
hash.
A hash is not an encryption of the document and most importantly, it's very difficult to find two
documents that have the same hash.
Hashes are used to check the integrity of files and documents.
Detection of bit errors caused by unreliable transmission links or faulty storage media.
o Solution: Message Digest acting as a unique fingerprint for the document (similar function
as CRC).
Protection against unauthorized modification
o Without protection a forger could create both an alternative document and its
corresponding correct message digest.
o Symmetric Key Solution: Message Authentication Code (MAC) formed by using a keyed
message digest function.
o Asymmetric Key Solution: Digital Signature formed by encrypting the message digest with
the document authors private key.
Page 1 of 16
Semester 2, 13/14
Hash Algorithm
A one-way hash function, H(m), is a mathematical function that takes a message string, m, of any
length (pre-string) and returns a smaller fixed-length string, h (hash value).
h = H(m), where h is of length m
Characteristic of hash function:
Can take arbitrary-length input and return an output of fixed length.
Given m, it is easy to compute h.
Given h, it is hard to compute m such that H(m) = h (not easier than a brute-force search)
Given m, it is hard to find another message M, such that H(m) = H(m)
The hash value of a file is a small unique fingerprint called message digests or one-way
transformations.
The message digest value should depend on every bit of the corresponding message.
If a single bit of the original message changes its value, or one bit is added or deleted, then
about 50% of the digest bits should change their values in a random fashion.
A good hash function achieves a pseudo-random message-to-digest mapping, causing two
nearly identical messages to have totally different hash values.
A single bit change in a document should cause about 50% of the bits in the digest to change
their values!
Message Digests: Digital Signature

The goal here is that rather than having Bob digitally sign (encrypt) the entire message, he should
be able to sign just the message digest by computing E(KPRB, H(m)).
Having m and E(KPRB, H(m)) together should be "just as good as" having a signed complete
message, E(KPRB, m)
This means that m and E(KPRB, H(m)) together should be non-forgible, verifiable, and nonrepudiable.
Nonforgible will require that the message digest algorithm that computes the message digest have
some special properties,
Given a message digest value, x, it is computationally infeasible to find a message, y, such that
H(y) = x;
It is computationally infeasible to find any two messages x and y such that H(x) = H(y).
Page 2 of 16
Semester 2, 13/14
A message digest is in many ways like a

checksum.
The algorithm take a message, m, of
arbitrary length and compute a fixed length
"fingerprint" of the data known as a
message digest, H(m).
The message digest protects data in the sense that if m is changed to m' (either maliciously or by
accident) then H(m), computed for the original data (and transmitted with that data), will not
match the H(m) computed over the changed data.
While the message digest provides for data integrity, how does it help with signing the message
m?
Digital Signature: Encrypt or Hash?
A message digest of a fixed size acts as a unique fingerprint for an arbitrary-sized message, document
or packed software distribution file.
With a common digest size of 128 256 bits, about 1038 1077 different fingerprint values can be
represented.
o If on every day of the 21th century 10 billion people wrote 100 letters each, this would
amount to 3.65 1016 documents, only only a tiny percentage of all possible values would
be used.
Page 3 of 16
Semester 2, 13/14
Checksum
Let's convince that a simple checksum would make a poor message digest algorithm.
Suppose Bob owes Alice $100.99" and sends an IOU to Alice consisting of the text string
"IOU100.99BOB".
The ASCII representation (in hexadecimal notation) for these letters is 49, 4F, 55, 31, 30, 30,
2E, 39, 39, 42, 4F, 42.
IOU1 49 4F 55 31
00. 9 30 30 3E 39
9BOB 39 42 4F 42
B2 C1 D2 AC
IOU9 49 4F 55 39
00. 1 30 30 3E 31
9BOB 39 42 4F 42
B2 C1 D2 AC
Characteristic of Hash Algorithms

Reduce variable-length input to fixed-length (128 or 160 bit) output.
Requirements:
Cannot deduce input from output
Cannot generate a given output (CRC fails this requirement)
Cannot find two inputs which produce the same output (CRC also fails this requirement)
Used to
Produce fixed-length fingerprint of arbitrary-length data
Produce data checksums to enable detection of modifications
Distill passwords down to fixed-length encryption keys
A small change in the document will produce a large change in the hash.
Hashes should not be predictable.
Hashes should not collide, and it should be computationally difficult to find collisions.
two documents should have a very, very small chance of having the same hash, and it should
be virtually impossible to find a document that has the same hash as a known document.
Hashing should be fast.
Example : Hash Value
Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum
dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit
amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con;
minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum
venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis
nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud
laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut
aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea
com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in
reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit
in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate
nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate
nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.
Page 4 of 16
Semester 2, 13/14
The hash value is:

B745ACE71DEB8B0DB0DEB55C31B379DA1DEE26E894F5ADCCA4B56BDCBFD2183458D32B79
Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum
dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit
amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con;
minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum
venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis
nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud
laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut
aliquip ex ea com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea
com color in reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in
reprehenderit in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in repre henderit
in voluptate nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate
nonumy.Lorum ipsum dolor sit amet, con: minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate
nonumy.Lorum ipsum dolor sit amet, con; minimum venami quis nostrud laboris nisi ut aliquip ex ea com color in reprehenderit in voluptate nonumy.
The hash value of this file is:

19010336D0F8A845BC52179A21770E268205EF0AAD65311A70D414CF6374D3BAD4C18B23
Notice the different of hash value even only 1 bit is changed
Uses of Hash Algorithms

Password Hashing
store the hashed version of the password
compare hashed version of entered password
Message Integrity/Authentication
hash message + password
Message Fingerprint
checksum for modifications
Down line Load Security
verify that a program hasnt been corrupted
Digital Signature Efficiency
can sign a message digest rather than the entire message
Page 5 of 16
Semester 2, 13/14
Types of Hash Functions

Modification Detection Codes (MDCs)
Also known as manipulation detection codes, and less commonly as message integrity codes
(MICs)
The purpose of an MDC is (informally) to provide a representative image or hash of a message
MDCs are a subclass of unkeyed hash functions
Message Authentication Codes (MACs)
Purpose of a MAC is (informally) to facilitate, without the use of any additional mechanisms,
assurances regarding both the source of a message and its integrity.
MACs have two functionally distinct parameters, a message input and a secret key; they are a
subclass of keyed hash functions.
It is generally assumed that the algorithmic specification of a hash function is public knowledge.
Thus in the case of MDCs, given a message as input, anyone may compute the hash result; and in
the case of MACs, given a message as input, anyone with knowledge of the key may compute the
hash-result.
General Model: Iterated Hash Functions
Most unkeyed hash functions are designed as

iterative processes which hash arbitrary-length
inputs by processing successive fixed-size blocks of
the input.
Page 6 of 16
Semester 2, 13/14
A hash input of arbitrary finite length is divided into

fixed-length r bit blocks xi
This preprocessing typically involves appending extra
bits (padding) as necessary to attain an overall bit
length which is a multiple of the block-length r, and
often includes a block or partial block indicating the
bit-length of the unpadded input.
Each block xi then serves as input to an internal fixed-size hash function f, the compression
function of h, which computes a new intermediate result of bit length n for some fixed n, as a
function of the previous n -bit intermediate result and the next input block xi
Hi-1 serves as the n bit chaining variable between stage (i 1) and stage i
H0 is a pre-defined starting value or initializing value (IV).
An optional output transformation g is used in a final step to map the n-bit chaining variable to an
m-bit result g(Ht)
Particular hash functions are distinguished by the nature of the preprocessing, compression
function, and output transformation.
Length of a Hash Value
The essential cryptographic properties of a hash function are that it is both one-way and
collision-free.
The most basic attack on a hash function is to choose inputs to the hash function at random
until either we find some input that will give us the target output value we are looking for
(thereby contradicting the one-way property), or we find two inputs that produce the same
output (thereby contradicting the collision-free property).
Suppose the hash function produces an n-bit long output. If we are trying to find some input
which will produce some target output value y, then since each output is equally likely we
expect to have to try 2n possible input values.
Page 7 of 16
Semester 2, 13/14
Iterated Hash Function

Merkle-Damgard scheme
Hash Algorithm
Page 8 of 16
Semester 2, 13/14
Block Algorithms
Both MD5 and SHA hash functions work on input data blocks of exactly 512 bits.
A document to be hashed must first be partitioned into an integer number of data blocks of
this size.
This is done by first appending a 64 bit document length L to the end of the document and
then inserting 0 511 padding bits in front of the document length field in order to fill the last
block up to 512 bits.
This block-by-block processing allows the hashing of arbitrarily large documents in a serial
fashion.
Secure Hash Algorithm (SHA)
SHA-512: Message Preparation

SHA-512 insists that the length of the original message be less than 2128 bits.
Creates a 512-bit message digest
Example 1:
This example shows that the message length limitation of SHA-512 is not a serious problem.
Suppose we need to send a message that is 2128 bits in length. How long does it take for a
communications network with a data rate of 264 bits per second to send this message?
Example 2:
This example also concerns the message length in SHA-512. How many pages are occupied by a
message of 2128 bits?
Solution
Suppose that a character is 32, or 26 bits. Each page is less than 2048, or approximately 212
characters. So 2128 bits need at least 2128 / 218, or 2110 pages. This again shows that we need not
worry about the message length restriction.
Page 9 of 16
Semester 2, 13/14
SHA-512: Padding & Length Field
Example 3: What is the number of padding bits if the length of the original message is 2590 bits?
Solution
We can calculate the number of padding bits as follows:
| |
Therefore the padding consists of one 1 followed by 353 0s.

Example 4:
Do we need padding if the length of the original message is already a multiple of 1024 bits?
Solution
Yes we do, because we need to add the length field. So padding is needed to make the new block
a multiple of 1024 bits.
Minimum & Maximum Number of Padding Bits

Min length of padding is 0 and it happens when (M 128) mod 1024 is 0.
|M| = 128 mod 1024 = 896 mod 1024 bits
last block in the original message is 896 bits. We add a 128-bit length field to make the block
complete.
Max length of padding is 1023 and it happens when (|M| 128) = 1023 mod 1024.
length of the original message is |M| = (128 1023) mod 1024 or the length is |M| = 897
mod 1024.
we cannot just add the length field because the length of the last block exceeds one bit more
than 1024.
we need to add 897 bits to complete this block and create a second block of 896 bits. Now the
length can be added to make this block complete.
Page 10 of 16
Semester 2, 13/14
Message Block & Digest as Words
Word Expansion
Example: How W60 is generated?

Each word in the range W16 to W79 is made from four previously-made words. W60 is made as
(
Page 11 of 16
Semester 2, 13/14
SHA-512: Message Digest Initialization
SHA-512: Compression Function
Page 12 of 16
Semester 2, 13/14
SHA-512: Structure of Each Round
SHA-512: Functions
Example
Page 13 of 16
Semester 2, 13/14
Apply the Majority function on buffers A, B, and C. If the leftmost hexadecimal digit of these
buffers are 0x7, 0xA, and 0xE, respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
The first bits are 0, 1, and 1. The majority is 1.
The second bits are 1, 0, and 1. The majority is 1.
The third bits are 1, 1, and 1. The majority is 1.
The fourth bits are 1, 0, and 0. The majority is 0.
The result is 1110, or 0xE in hexadecimal.
Example
Apply the Conditional function on E, F, and G buffers. If the leftmost hexadecimal digit of these
buffers are 0x9, 0xA, and 0xF respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
The first bits are 1, 1, and 1. The result is F1, which is 1.
The second bits are 0, 0, and 1. The result is G2, which is 1.
The third bits are 0, 1, and 1. The result is G3, which is 1.
The fourth bits are 1, 0, and 1. The result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.
SHA-512: Constants
There are 80 constants, K0 to K79, each of 64 bits.

Values are calculated from the first 80 prime numbers (2, 3,, 409).
For example, the 80th prime is 409, with the cubic root (409)1/3 = 7.42291412044.
Page 14 of 16
Semester 2, 13/14
Converting this number to binary with only 64 bits in the fraction part, we get
The fraction part: (6C44198C4A475817)16
A Comparison of MD5, SHA-1, and RIPEMD-160
MD5 is a strengthened version of MD4 with four rounds; an attack against one round has been
found.
MD5 is more commonly used, the implementation is better optimized and thus faster on Intel
processors (893 K/sec).
All the MD algorithms produce 128-bit hashes
SHA produces a larger 160-bit hash, and there are no known attacks against it.
The first version of SHA had a weakness which was later corrected; the code used here
implements the second, corrected, version. It operates at 336 K/sec.
Concatenation of Hashing Algorithms
We use two common and trusted hashing algorithms - SHA-1 and MD5. We concatenate the
output of both functions into a 288-bit (36-byte) value. The reason we use both values is
twofold: i) we're just plain paranoid, and ii) it's been suggested that MD5 has some subtle
weaknesses.
Using two algorithms strengthens our hashing functions. Cryptographers of the future will
have to break both algorithms in order to break the strength of the combined hash functions.
For reference, the probability of finding a bitstring that produces the same hash code as
another (different) bit string is 1 in 2288, or 4.97 x 1086.
Page 15 of 16
Semester 2, 13/14
Rabin Scheme
Davies-Meyer Scheme
Page 16 of 16

5a Hashintro e PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

5a Hashintro e PDF

Uploaded by

Copyright:

Available Formats

Faculty of Computing

Universiti Teknologi Malaysia

Generating Digital Signatures

Suppose Bob wants to digitally sign a

Public key encryption technology can be used to create a digital signature.

Message Digests: Digital Signature

A message digest is in many ways like a

Characteristic of Hash Algorithms

The hash value is:

The hash value of this file is:

Uses of Hash Algorithms

Types of Hash Functions

General Model: Iterated Hash Functions

Most unkeyed hash functions are designed as

A hash input of arbitrary finite length is divided into

Iterated Hash Function

Secure Hash Algorithm (SHA)

SHA-512: Message Preparation

SHA-512: Padding & Length Field

Therefore the padding consists of one 1 followed by 353 0s.

Minimum & Maximum Number of Padding Bits

Message Block & Digest as Words

Example: How W60 is generated?

SHA-512: Message Digest Initialization

SHA-512: Compression Function

SHA-512: Structure of Each Round

There are 80 constants, K0 to K79, each of 64 bits.

The fraction part: (6C44198C4A475817)16

A Comparison of MD5, SHA-1, and RIPEMD-160

Concatenation of Hashing Algorithms

You might also like