1)

W t = F 1 ( X 0 ,X 1 ,K ( t mod 256) )+ M ( t mod 128)

W ( t +1) = F 2 ( X 2 ,X 3 ,K ( t +1 mod 256) )+ M ( t +1 mod 128)

W ( t +2) = F 1 ( X 4 ,X 5 ,K ( t +2 mod 256) )+ M ( t +2 mod 128)

W ( t +3) = F 2 ( X 6 ,X 7 ,K ( t +3 mod 256) )+ M ( t +3 mod 128)

t =4( k −

2.2 Cryptanalysis

This pseudorandom generator based expansion scheme presents the following

flaws in terms of security:

- It does not contain the original message. most hash functions include the

message within the message expansion; that way it is certain that any two

different messages will produce different message expansions.

- It has a very poor avalanche. The number of bits changed in the produced

expansion when changing a single bit in the input message is very low. A

proper message expansion scheme should cause, on average, 50% of the out-

put bits to change when one input bit is flipped.

- It does not take advantage of the fact that differences at the beginning of

the message expansion cause a bigger change (avalanche) than those at the

end; mainly because they affect more rounds.

These three criteria are, certainly, very important since they can create an avenue

for a successful collision attack.

- If an expansion scheme does not include the original message, then two dif-

ferent messages could possibly be expanded to the same message expansion,

causing an instant collision.

- On the other hand a message expansion scheme with poor avalanche, allows

greater control of the expanded message simplifying the task of causing a

collision in the compression function.

- Finally, an expansion scheme must place the biggest differences at the be-

ginning so they are processed in as many rounds as possible, maximizing the

avalanche of the compression function too.

These flaws were observed by Esmaeili ([4]) and collisions were found by Thom-

sen ([9]) for all digest sizes with a minor computational overhead.

The improved message expansion scheme, described in the following section, is

motivated by these same criteria: including the message in the message expansion

and maximizing differences at the beginning of the expanded message.

3

Improved Message Expansion

3.1 Description

Tangle divides the input message in 4096bit blocks, consisting of 128 message

words of 32 bits each ( M ) available to the hash function. The round function