Cryptography Reference
In-Depth Information
2 Preliminaries
2.1 Specification of PKC98-Hash
PKC98-Hash was proposed by Shin
et al.
[3]. Note that there are unclear parts
in [3, Section 3] and we basically follow the interpretation by [4, Section 2.2].
PKC98-Hash is an iterated hash function based on the Merkle-Damg ard de-
sign principle [5, Algorithm 9.25]. It processes 512-bit message blocks and pro-
duces a 160-bit hash value. To ensure that the message length is a multiple of
512 bits, an unambiguous padding method is applied. We refer to [3] for the
description of the padding method. Let
M
=
M
0
M
t−
1
be a
t
-block
message (after padding). Hash value
H
(=
H
t
) is computed by the iteration
of compression function CF :
M
1
···
160
512
160
using recurrence
{
0
,
1
}
×{
0
,
1
}
→{
0
,
1
}
H
i
+1
←
1), where
H
0
is a predefined initial value. The
compression function of PKC98-Hash adopts the Davies-Meyer structure [5, Al-
gorithm 9.42]. It basically consists of two parts: the state update transformation
and the message schedule.
CF(
H
i
,M
i
)(
i
=0
,...,t
−
Message Schedule.
The 512-bit input
M
i
is divided into 16 words
X
0
X
1
···
X
15
of 32 bits.
X
j
(
j
=16
,
17
,...,
23) is computed with
X
j
←
(
X
j−
16
⊕
X
j−
4
)
≪
1
,where
≪
b
denotes
b
-bit left rotation. The message
input of each step is determined by
w
j
←
X
j−
14
⊕
X
j−
9
⊕
X
ρ
r
(
j
mod 24)
(
j
=0
,
1
,...,
95), where
ρ
is a permutation defined in Table 2 and
r
←
j/
24
.
Table 2.
Permutation
ρ
in PKC98-Hash
j
01234567891011121314151617181920212223
ρ
(
j
) 4 21 17 1 23 18 12 10 5 16
8
0 20
3 22
6 11 19 15
2
7 14
9 13
State Update Transformation.
The state update transformation starts from
a (fixed) initial value of five 32-bit words and updates them in 96 steps. In each
step one message word
w
j
is used to update the five state variables
A
j
,
B
j
,
C
j
,
D
j
,and
E
j
as shown below:
⎧
⎨
A
j
+1
←
E
j
(
f
r
(
A
j
,B
j
,C
j
,D
j
,E
j
)+
w
j
+
K
r
)
≪
s
j
B
j
+1
←
B
≪
10
j
C
j
+1
←
,
(1)
⎩
D
j
+1
←
C
j
E
j
+1
←
D
j
where
r
is
,
K
r
is a constant defined by the specification, and
s
j
is
X
ρ
3
−
r
(
j
mod 24)
mod 2
5
.
f
r
(
A, B, C, D, E
) is defined as
⎧
⎨
j/
24
f
0
=(
A
∧
B
)
⊕
(
C
∧
D
)
⊕
(
B
∧
C
∧
D
)
⊕
E
f
1
=
B
⊕
((
D
∧
E
)
∨
(
A
∧
C
))
,
(2)
⎩
f
2
=
A
⊕
(
B
∧
(
A
⊕
D
))
⊕
(((
A
∧
D
)
⊕
C
)
∨
E
)
where
f
3
=
f
1
and “
” represent bitwise logical AND, XOR, and
OR, respectively. We sometimes omit the AND symbol.
∧
,” “
⊕
,” and “
∨
Search WWH ::
Custom Search