SCSR3443 Cryptography 26-Nov-15

[Part 3]
Integrity, Authenticity, and Key
Management

Chapter 12

Cryptographic Hash Functions

Forouzan, B.A. Cryptography and Network Security (International Edition). United States: McGraw Hill, 2008. 1.1

Chapter 12 Objectives

• To introduce general ideas behind cryptographic

hash functions.
• To discuss the structure of SHA-512 as an
example of a cryptographic hash function.

1.2

m @ 2015/2016-1 1
SCSR3443 Cryptography 26-Nov-15

Chapter 12 Contents

12.1 Introduction
12.2 SHA-512
12.3 Summary

1.3

Chapter 11 Contents

12.1 Introduction
12.2 SHA-512
12.3 Summary

1.4

m @ 2015/2016-1 2
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

•  A cryptographic hash function takes a message of

arbitrary length and creates a message digest of fixed
length.
•  There are two most promising cryptographic hash
algorithms - SHA-512 and Whirlpool.
•  However, this chapter will discuss the details of the
SHA-512 only.

1.5

Chapter 12 12.1 Introduction

Iterated Hash Function

•  All cryptographic hash functions need to create a

fixed-size digest out of a variable-size message.
•  The best way to create such function is using iteration,
and used a necessary number of times.
•  The fixed-size input function is referred to as a
compression function.
•  Compresses an n-bit string to create an m-bit string,
where n > m

•  This scheme is referred to as an iterated cryptographic

hash function.

1.6

m @ 2015/2016-1 3
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

Merkle-Damgard Scheme
•  This is an iterated hash function that is collision resistant
if the compression function is collision resistant.
•  This is the basis for many cryptographic hash functions today.

1.7

Chapter 12 12.1 Introduction

Groups of Compression Functions

•  The design of a compression function must be collision

resistant using the Merkle-Damgard scheme.

•  There is a tendency to use two different approaches in

designing a hash function.
a)  Compression function from scratch.
b)  A symmetric-key block cipher serves as a
compression function.

•  Figure 12.1 illustrates the approaches in general.

1.8

m @ 2015/2016-1 4
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

Groups of Compression
Functions

Hash Functions Made Hash Functions Based

from Scratch on Block Ciphers

Message Secure Hash Matyas-Meyer- Miyaguchi-

Digest Algorithm Rabin
Other Oseas Preneel
Scheme
(MD) (SHA) Scheme Scheme

Figure12.1: Two groups of compression function

in cryptographic hash function
MD2 SHA-1 Whirlpool
MD4 SHA-224
MD5 SHA-256
SHA-384
SHA-512 1.9

Chapter 12 12.1 Introduction

a) Hash Functions Made from Scratch

•  Specifically designed for the purpose they serve.

Message Digest (MD)

•  Several hash algorithms referred to as MD2, MD4, and MD5

(latest version).
•  MD5 strengthened version of MD4:

•  divides message into blocks of 512 bits, and

•  creates a 128-bit digest.

The digest size of 128-bit is too small to resist collision attack.

1.10

m @ 2015/2016-1 5
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

Secure Hash Algorithm (SHA)

•  Sometimes referred to as Secure Hash Standard (SHS).

•  The standard mostly based on MD5.
•  1st version: SHA-1.
•  New versions: SHA-224, SHA-256, SHA-384, SHA-512.

1.11

Chapter 12 12.1 Introduction

b) Hash Functions Based on Block Cipher

•  The whole idea is that there are several secure symmetric-
key block ciphers (Triple DES, AES) can be used to make
a one-way function instead of creating a new compression
function.
•  The block cipher in this case can only performs encryption.
•  One of the most promising scheme: Whirlpool.

1.12

m @ 2015/2016-1 6
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

Figure 12.2: Rabin scheme

1.13

Chapter 12 12.1 Introduction

Figure 12.3: Matyas-Meyer-Oseas scheme

1.14

m @ 2015/2016-1 7
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.1 Introduction

Figure 12.4: Miyaguchi-Preneel scheme

1.15

Chapter 12 Contents

12.1 Introduction
12.2 SHA-512
12.3 Summary

1.16

m @ 2015/2016-1 8
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Introduction

•  SHA-512 is the version of SHA based on the Merkle-

Damgard scheme.

•  SHA-512 creates a digest of 512 bits from a multiple-block

message.
•  Each block is 1024 bits in length, as shown in Figure 12.5.

1.17

Chapter 12 12.2 SHA-512

Figure 12.5: Message digest creation SHA-512

1.18

m @ 2015/2016-1 9
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Message Preparation

•  SHA-512 insists that the length of the original message be

less than 2128 bits.
•  If the length of a message >= 2128, it will not be processed.

•  This is not usually a problem because is probably larger

than the total storage capacity of any system.

1.19

Chapter 12 12.2 SHA-512

Example 12.1: This example shows that the message length limitation
of SHA-512 is not a serious problem. Suppose we need
to send a message that is 2128 bits in length.

How long does it take for a communications network with

a data rate of 264 bits per second to send this message?

Solution 12.1: A communications network that can send 264 bits per
second is not yet available.

Even if it were, it would take many years to send this

message.

This tells us that we do not need to worry about the

SHA-512 message length restriction.
1.20

m @ 2015/2016-1 10
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Example 12.2: This example also concerns the message length in

SHA-512.
How many pages are occupied by a message of 2128
bits?

Solution 12.2: Suppose that a character is 32, or 26, bits. Each page is
less than 2048, or approximately 212, characters.

So 2128 bits need at least 2128 / 218, or 2110, pages.

This again shows that we need not worry about the

message length restriction.
1.21

Chapter 12 12.2 SHA-512

Length Field and Padding

•  Before the message digest can be created, SHA-512
requires the addition of a 128-bit unsigned-integer length
field (0 – (2128-1)) to the message that defines the length of
the message in bits.
•  This is the length of the original messages before padding.

Figure 12.6: Padding and length field in SHA-512

1.22

m @ 2015/2016-1 11
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

•  Before the addition of the length field, we need to pad the

original message to make the length a multiple of 1024.
•  The length of the padding field can be calculated as follows:

(|M| + |P| + 128) = 0 mod 1024

à |P| = (− |M| − 128) mod 1024

•  |M| the length of original message.

•  |P| the length of the padding field.

1.23

Chapter 12 12.2 SHA-512

Example 12.3: What is the number of padding bits if the length of the
original message is 2590 bits?

Solution 12.3: We can calculate the number of padding bits as follows:

|P| = (− 2590 − 128) mod 1024

= − 2718 mod 1024
= 354

The padding consists of one 1 followed by 353 0’s.

1.24

m @ 2015/2016-1 12
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Example 12.4: Do we need padding if the length of the original

message is already a multiple of 1024 bits?

Solution 12.4: Yes we do, because we need to add the length field.

So padding is needed to make the new block a multiple

of 1024 bits.

1.25

Chapter 12 12.2 SHA-512

Example 12.5: What is the minimum and maximum number of padding

bits that can be added to a message?

Solution 12.5: The minimum length of padding is 0 and it happens

when (− |M| − 128) mod 1024 is 0.

This means that |M| = −128 mod 1024 = 896 mod 1024 bits.

In other words, the last block in the original message is

896 bits.

We add a 128-bit length field to make the block

complete.

1.26

m @ 2015/2016-1 13
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Solution 12.5: The maximum length of padding is 1023 and it happens

when (−|M| −128) = 1023 mod 1024.

This means that the length of the original message is

|M| = (−128 −1023) mod 1024 or the length is
|M| = 897 mod 1024.

In this case, we cannot just add the length field because

the length of the last block exceeds one bit more than
1024.

So we need to add 897 bits to complete this block and

create a second block of 896 bits.

Now the length can be added to make this block

complete.
1.27

Chapter 12 12.2 SHA-512

Words
•  SHA-512 operates on words of 64 bits.
•  This means that after the padding and the length field are
added to the message, each block of the message consists
of sixteen 64-bits words.
•  The message digest also made of 64-bit words, but it is only
eight words that named as A, B, C, D, E, F, G, and H.

Figure 12.7: A message block and the digest as words

1.28

m @ 2015/2016-1 14
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Words Expansion

•  Before processing, each message block must be expanded

to 1024 bits, or sixteen 64-bit words.

•  Figure 12.8 show the word-expansion process for 80 words.

•  The 16-word blocks needs to be expanded to 80 words,
from W0 to W79.
•  The 1024-bit block become the first 16 words; the rest of the
words come from already-made words according to the
operation.

1.29

Chapter 12 12.2 SHA-512

Figure 12.8: Words expansion in SHA-512

1.30

m @ 2015/2016-1 15
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Example 12.6: Show how W60 is made.

Solution 12.6: Each word in the range W16 to W79 is made from four
previously-made words.

W60 is made as:

W60 = W44 ⊕ RotShift1−8−7 (W45 ) ⊕ W53 ⊕ RotShift19−61−6 (W58 )

1.31

Chapter 12 12.2 SHA-512

Message Digest Initialization

•  The algorithm uses eight constant for message digest

initialization.
•  We call these constants A0 to H0 to match the word naming
used for the digest.

1.32

m @ 2015/2016-1 16
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Compression Function

•  SHA-512 creates a 512-bit (eight 64-bit words) message

digest from a multiple-block message where each block is
1024 bits.
•  The processing of each block of data in SHA-512 involves
80 rounds.
•  Figure 12.9 shows the general outline for the compression
function.

1.33

Chapter 12 12.2 SHA-512

Figure 12.9:
Compression function
in SHA-512

1.34

m @ 2015/2016-1 17
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Figure 12.10:
Structure of each
round in SHA-512

1.35

Chapter 12 12.2 SHA-512

Majority Function:

Conditional Function:

Rotate Functions:

1.36

m @ 2015/2016-1 18
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Constants

•  There are 80 constants, K0 to K79, each of 64 bits.

•  Similar to the initial values for the eight digest buffer, these
values are calculated from the first 80 prime numbers (2, 3,
…, 409).

•  For example: The 80th prime is 409, with the cubic root
(409)1/3 = 7.42291412044. Converting this number to binary
with only 64 bits in the fraction part, we get:

The fraction part: (6C44198C4A475817)16

1.37

Chapter 12 12.2 SHA-512

1.38

m @ 2015/2016-1 19
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Example 12.7: We apply the Majority function on buffers A, B, and C. If

the leftmost hexadecimal digits of these buffers are
0x7, 0xA, and 0xE, respectively, what is the leftmost
digit of the result?

Solution 12.7: The digits in binary are 0111, 1010, and 1110.

a. The first bits are 0, 1, and 1. The majority is 1.

b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.

The result is 1110, or 0xE in hexadecimal.

1.39

Chapter 12 12.2 SHA-512

Example 12.8: We apply the Conditional function on E, F, and G buffers.

If the leftmost hexadecimal digits of these buffers are
0x9, 0xA, and 0xF respectively, what is the leftmost
digit of the result?

Solution 12.8: The digits in binary are 1001, 1010, and 1111.

a. The first bits are 1, 1, and 1. The result is F1, which is 1.

b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.

The result is 1110, or 0xE in hexadecimal.

1.40

m @ 2015/2016-1 20
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.2 SHA-512

Analysis

•  With a message digest of 512 bits, SHA-512 expected to

be resistant to all attacks, including collision attacks.

•  It has been claimed that this version’s improved design

makes it more efficient and more secure than the previous
versions.
•  However, more research and testing are needed to confirm
this claim.

1.41

Chapter 12 Contents

12.1 Introduction
12.2 SHA-512
12.3 Summary

1.42

m @ 2015/2016-1 21
SCSR3443 Cryptography 26-Nov-15

Chapter 12 12.3 Summary

•  All cryptographic hash functions must create a fixed-

size digest out of a variable-size message.
•  Creating such a function is best accomplished
using iteration.
•  A compression function is repeatedly used to create
the digest à iterated hash function.

•  The Merkle-Damgard scheme is an iterated

cryptographic hash function that is collision resistant
if the compression function is collision resistant.
•  Basis for many cryptographic hash functions today.
1.43

Chapter 12 12.3 Summary

•  There is a tendency to use two different approaches in

designing the compression function that:
•  made from scratch.
•  based on block-cipher.

•  A set of cryptographic hash functions uses compression

functions that are made from scratch such as Message
Digest (MD) group and Secure Hash Algorithm (SHA) group.

•  SHA-512 is one of the promisingcryptographic hash

function with 512-bit message digest that based on the
Merkle-Damgard scheme.

1.44

m @ 2015/2016-1 22
SCSR3443 Cryptography 26-Nov-15

Chapter 12 Exercises

Exercise 12.1: In SHA-512, show the value of the length field in

hexadecimal for the following message lengths:
a)  1000 bits.
b)  10,000 bits.
c)  1,000,000 bits.

Forouzan,B.A. Cryptography and Network Security (International Edition). Singapore: McGraw-Hill, 2008. (page 386) 1.45

Chapter 12 Exercises

Exercise 12.2: What is the padding for SHA-512 if the length of the
message is:
a)  5120 bits.
b)  5121 bits.
c)  6143 bits.

Forouzan,B.A. Cryptography and Network Security (International Edition). Singapore: McGraw-Hill, 2008. (page 386) 1.46

m @ 2015/2016-1 23