Cryptography Reference
In-Depth Information
The encryption
C
0
consists of four rounds as depicted in Fig. 3.4: the message
block (key block) is permuted into a sequence
x
0
, ...,
x
15
following a permutation
which depends on the round number, and every of the four input words is sequentially
transformed through a generalized four-branch Feistel scheme. Each transformation is
defined by a box with a main input
a
, a key input
x
, and three side inputs
b
,
c
, and
d
as shown in Fig. 3.5.
The output of the transformation box is
ROTL
α
i
,
j
(
a
+
f
i
(
b
,
c
,
d
)
+
x
+
k
i
,
j
)
+
b
α
i
,
j
and
k
i
,
j
are defined by a table, ROTL is the bitwise rotation to the left (by
a number of position specified as a superscript), and
f
i
is a bitwise Boolean function
defined by
where
f
1
(
b
,
c
,
d
)
=
if
b
then
c
else
d
f
2
(
b
,
c
,
d
)
=
if
d
then
b
else
c
f
3
(
b
,
c
,
d
)
=
b
XOR
c
XOR
d
f
4
(
b
,
c
,
d
)
=
c
XOR (
b
AND (NOT
d
))
where the “if...then...else” function is defined by
if
b
then
c
else
d
=
(
b
AND
c
) OR ((NOT
b
) AND
d
)
.
3.1.5 Examples of SHA and SHA-1
SHA is another famous cryptographic hash function example. SHA stands for “Secure
Hash Algorithm”. It was published by the US Government as the FIPS 180 standard
(Ref. [15]) in 1993. It is based on MD5 and is mainly used in digital signature schemes. It
hashes onto 160 bits and uses the Merkle-Damgard construction from a 160
→
160 compression function. The original version was replaced by a slightly different
one, SHA-1, in 1995 (see the FIPS 180-1 standard, Ref. [16], which is now superseded
by the FIPS 180-2 standard, Ref. [17]). There was no justification for this replace-
ment (just a mention about security problems). However, Florent Chabaud and Antoine
Joux, from the French Department of Defense, publicly raised a weakness of the orig-
inal SHA which seemed to have disappeared in SHA-1 (see Ref. [43]). Antoine Joux
later announced to have found a collision on the original SHA.
2
As for MD5, the
compression functions of SHA and SHA-1 are made from an “encryption function”
by the Davies-Meyer scheme: given an “encryption function”
C
0
which maps 160-bit
value
H
×
512
=
(
A
,
B
,
C
,
D
,
E
) and a 512-bit key block
B
=
(
x
0
,...,
x
15
) into a 160-bit
2
The collision was announced at the CRYPTO'04 conference, surprisingly at the same time that a collision
on MD5 was found.
Search WWH ::
Custom Search