Cryptography Reference
In-Depth Information
a
b
c
d
∗
∗
∗
∗
0
1
1
0
x
0
x
0
B
1
B
2
B
3
x
4
x
8
B
1
B
2
B
3
x
8
x
4
B
1
B
2
B
3
0
0
1
1
x
12
x
12
0
0
B
1
B
2
B
3
2
25
2
5
B
1
B
2
B
3
B
1
B
2
B
3
B
1
B
2
B
3
0
B
L
O
C
K
B
L
O
C
K
B
L
O
C
K
0
B
1
σ
B
2
σ
B
3
2
3
2
5
2
14
B
1
B
2
B
3
B
1
B
2
B
3
B
1
1
B
1
2
B
1
3
B
1
1
B
1
2
B
1
3
x
12
B
1
1
B
1
2
B
1
3
x
13
B
1
3
B
1
1
B
1
2
x
14
B
1
1
B
1
2
B
1
3
0
x
15
0
B
1
1
B
1
2
B
1
3
∗
∗
∗
∗
0
1
1
0
0
0
0
0
Figure 3.10.
Differential graph for a full collision in MD4.
the flipped bit of
B
is rotated by 13 positions in
B
2
,
B
1
2
, and
B
1
2
, it arrives in the
least significant position before
B
3
where
x
12
enters again. Similarly, the flipped bit of
C
is rotated by 9 positions in
B
2
,
B
1
2
, and
B
1
2
, it also arrives in the least significant
position before
B
3
where the flipped bit of
B
can be used to cancel it. Indeed, we
estimate that those bit flips propagate as explained with a probability which is roughly
2
−
21
×
4
7
2
−
2
2
−
26
. (The 2
−
21
×
≈
is for preventing the propagation of one flipped
bit from one register to the other, the
4
7
is for preventing the propagation of one flipped
bit in a carry in an addition, and the 2
−
2
is for the final cancellation of the flipped bits.)
This means that we should obtain a collision after about 2
26
trials once we run the MD4
computation.
3.4
Message Authentication Codes
3.4.1 Usage
Message authentication codes are called MACs. They can guarantee the authenticity
of a document in an insecure channel. If we want to do this with a cryptographic
hash function, the hashed value must be transmitted through a secure channel which
Search WWH ::
Custom Search