Cryptography Reference
In-Depth Information
ciphers. The concatenation of the previous output of the right cipher,
H
i
−
1
,
R
, with
the next message block
x
i
, forms the key for both ciphers. For security reasons a
constant
c
has to be XORed to the input of the right block cipher.
c
can have any
value other than the all-zero vector. As in the other three constructions described
above, initial values have to be assigned to the first hash values (
H
0
,
L
and
H
0
,
R
).
Fig. 11.8
Hirose construction for a hash function with twice the block width
We introduce here the Hirose construction for the case that the key length be
twice the block width. There are many other ciphers that satisfy this condition in
addition to AES, e.g., the block ciphers Blowfish, Mars, RC6 and Serpent. If a hash
function for resource-constrained applications is needed, the lightweight block ci-
pher PRESENT (cf. Section 3.7) allows an extremely compact hardware implemen-
tation. With a key size of 128-bit and a block size of 64 bit, the construction com-
putes a 128-bit hash output. This message digest size resists preimage and second
preimage attacks, but offers only marginal security against birthday attacks.
11.4 The Secure Hash Algorithm SHA-1
The Secure Hash Algorithm (SHA-1) is the most widely used message digest func-
tion of the MD4 family. Even though new attacks have been proposed against the
algorithm, it is very instructive to look at its details because the stronger versions
in the SHA-2 family show a very similar internal structure. SHA-1 is based on a
Merkle-Damgard construction, as can be seen in Figure 11.9.
An interesting interpretation of the SHA-1 algorithm is that the compression
function works like a block cipher, where the input is the previous hash value
H
i
−
1
and the key is formed by the message block
x
i
. As we will see below, the actual
rounds of SHA-1 are in fact quite similar to a Feistel block cipher.
SHA-1 produces a 160-bit output of a message with a maximum length of 2
64
bit.
Before the hash computation, the algorithm has to preprocess the message. During
the actual computation, the compression function processes the message in 512-bit
