Information Technology Reference
In-Depth Information
1)
W
t
=
F
1
(
X
0
,X
1
,K
(
t
mod
256)
)+
M
(
t
mod
128)
W
(
t
+1)
=
F
2
(
X
2
,X
3
,K
(
t
+1
mod
256)
)+
M
(
t
+1
mod
128)
W
(
t
+2)
=
F
1
(
X
4
,X
5
,K
(
t
+2
mod
256)
)+
M
(
t
+2
mod
128)
W
(
t
+3)
=
F
2
(
X
6
,X
7
,K
(
t
+3
mod
256)
)+
M
(
t
+3
mod
128)
t
=4(
k −
2.2 Cryptanalysis
This pseudorandom generator based expansion scheme presents the following
flaws in terms of security:
-
It does not contain the original message. most hash functions include the
message within the message expansion; that way it is certain that any two
different messages will produce different message expansions.
-
It has a very poor avalanche. The number of bits changed in the produced
expansion when changing a single bit in the input message is very low. A
proper message expansion scheme should cause, on average, 50% of the out-
put bits to change when one input bit is flipped.
-
It does not take advantage of the fact that differences at the beginning of
the message expansion cause a bigger change (avalanche) than those at the
end; mainly because they affect more rounds.
These three criteria are, certainly, very important since they can create an avenue
for a successful collision attack.
-
If an expansion scheme does not include the original message, then two dif-
ferent messages could possibly be expanded to the same message expansion,
causing an instant collision.
-
On the other hand a message expansion scheme with poor avalanche, allows
greater control of the expanded message simplifying the task of causing a
collision in the compression function.
-
Finally, an expansion scheme must place the biggest differences at the be-
ginning so they are processed in as many rounds as possible, maximizing the
avalanche of the compression function too.
These flaws were observed by Esmaeili ([4]) and collisions were found by Thom-
sen ([9]) for all digest sizes with a minor computational overhead.
The improved message expansion scheme, described in the following section, is
motivated by these same criteria: including the message in the message expansion
and maximizing differences at the beginning of the expanded message.
3
Improved Message Expansion
3.1 Description
Tangle divides the input message in 4096bit blocks, consisting of 128 message
words of 32 bits each (
M
) available to the hash function. The round function
Search WWH ::
Custom Search