1. Cryptographic Hash Functions
CS432

2. Overview Hash Functions Hash Algorithms: MD5 (Message Digest).
SHA1: (Secure Hash Algorithm)

3. Hash functions
A hash function computes a fixed length value from a variable length source
Example: Check sums in communication protocols
Indices in databases
More convenient to handle a hash of a document instead of the document itself

4. Cryptographic Hash Functions (answers.com)
In cryptography, a cryptographic hash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as authentication and message integrity.
A hash function takes a long string (or 'message') of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

6. Hash functions, definition
A hash function is a function f:{0,1}*  {0,1}n.
The size of the output, n, is a property of the function. Common values are 128, 160 and 256.
Informally, A transformation of a message of arbitrary length into a fixed-length number is called a hash function
Alternate names are fingerprint or digest
Commonly used hash functions are MD5, SHA and, SHA-1

7. Simple Examples f(m) = first 70 bits of m f(m) = last 80 bits of m
f(m) = XOR of the bytes of m

8. Properties of a Good Hash Function
Let H be a hash function
One-way
Given x, unfeasible to compute a v such that H(v) = x
Collision-free
Unfeasible to find x1 and x2 such that H(x1) = H(x2) and x1  x2

9. Applications of Hash Functions
Hash functions are used for
message and file integrity
secure login
fingerprints of keys
authentication
digital signatures

10. Required Properties of Hash Functions
Preimage resistant given h it should be hard to find any m such that h = hash(m).
Second preimage resistant: given an input m1, it should be hard to find another input, m2 (not equal to m1) such that hash(m1) = hash(m2). This property is implied by collision-resistance.
Collision-resistant: given hash(m1), it should be hard to find a message m2 such that hash(m1) = hash(m2).
Due to a possible birthday attack, this means the hash function output must be at least twice as large as what is required for preimage-resistance.

11. Birthday Attack
A birthday attack is a type of cryptographic attack which exploits the mathematics behind the birthday paradox, making use of a space-time tradeoff. Specifically, if a function f(x) yields any of H different outputs with equal probability and H is sufficiently large, then after evaluating the function for about different arguments we expect to obtain a pair of different arguments x1 and x2 with f(x1) = f(x2), known as a collision

12. Birthday Paradox
In probability theory, the birthday paradox states that given a group of 23 (or more) randomly chosen people, the probability is more than 50% that some pair of them will have the same birthday.
For 57 or more people, the probability is greater than 99%, although it cannot be exactly 100% unless there are at least 367 people.[1]Calculating this probability (and related ones) is the birthday problem.
The mathematics behind it has been used to devise a well-known cryptographic attack named the birthday attack.

13. Birthday Attack
Any function H: {0,1}* ->{0,1}n must have infinitely many collisions.
It requires O(2n/2) evaluations of H to find two messages m and m’ that have a collision,
H(m)=H(m’).
This means n must be reasonably large, otherwise it cannot be collision resistant.

14. Attacks Suppose a hash function H produces n bit values.
Compose a document good doc and about 2n/2+1 semantically equivalent versions.
Similarly, compose a bad doc and about 2n/2+1 semantically equivalent versions.
With probability ½ or more there will be a version of the good doc and a version of the bad doc that have the same hash value.

15. Hash Algorithms We will consider two main examples:
The message digest algorithm MD5 by Ron Rivest with 128 bit hash values.
The secure hash algorithm SHA-1. It was developed by NSA and standardized by NIST. This algorithm uses 160 bit hash values encoded in 5 x 32 bit words.
Other variations of SHA include SHA-256, SHA-384, SHA-512.
Collisions in SHA-1 can be found by 263 attempts
Collision in MD5 can be found in 8 hours using a notebook PC...

16. MD5: Message Digest Algorithm
It compresses messages of 512 bits length into a hash of length 128 bits.
A message of arbitrary length is padded to length
k = 448 mod 512
A 64 bit string describing the length of the message is added. The message length is now a multiple of 512.
The hashing is done block-by-block.

17. Step 1: Append padding bits
Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits)
Padding is always added, even if the message is already of the desired length (1 to 512 bits)
Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits)

18. Step 2: Append length:
64-bit length: contains the length of the original message modulo 264
The expanded message is Y0, Y1, …, YL-1; the total length is L  512 bits
The expanded message can be thought of as a multiple of bit words
Let M[0 … N-1] denote the word of the resulting message, where N = L  16

19. MD5 Algorithm Architecture

20. Initialization Vector
A buffer containing four words A,B,C,D of 32 bits is used to compute the hash value.
Initializations are:
A =
B = 89 ab cd ef
C = fe dc ba 98
D =

21. MD5 processing of a single (MD5 compression function)
MD5 processing of a single
512-bit block
(MD5 compression function)

22. A Typical MD5 Single Step

23. MD5 - functions
The procedure uses four boolean functions that operate bitwise on 32 bit words:
F(X,Y,Z) = (X Y)  (X  Z)
G(X,Y,Z) = (X  Z)  (Y  Z)
H(X,Y,Z) = X  Y  Z
I(X,Y,Z) = Y  (X  Z)
x y z F G H I
Truth table

24. What is X[k]?
The array of 32-bit words X[0..15] holds the value of current 512-bit input block being processed
Within a round, each of the 16 words of X[i] is used exactly once, during one step
The order in which these words is used varies from round to round
In the first round, the words are used in their original order
For rounds 2 through 4, the following permutations are used
2(i) = (1 + 5i) mod 16
3(i) = (5 + 3i) mod 16
4(I) = 7i mod 16

25. T[i] T is constructed from the sine function:
T[i] = integer part of 232  abs(sin(i)),
where i is in radians

26. Typical Values for T[i]

27. Circular Left Shift (CLS)
<<< s - circular left shift (rotation) of the 32-bit arguments by s bits
Values of s:
Round 1:
Round 2:
Round 3:
Round 4:

28. //Note: All variables are unsigned 32 bits and wrap modulo 2^32 when calculating
var int[64] r, T
//r specifies the per-round shift amounts
r[ 0..15] := {7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22}
r[16..31] := {5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20}
r[32..47] := {4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23}
r[48..63] := {6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21}

29. //Use binary integer part of the sines of integers as constants:
for i from 0 to 63
T[i] := floor(abs(sin(i + 1)) × (2 pow 32))
//Initialize variables:
var int h0 := 0x
var int h1 := 0xEFCDAB89
var int h2 := 0x98BADCFE
var int h3 := 0x
//Pre-processing:
append "1" bit to message
append "0" bits until message length in bits ≡ 448 (mod 512)
append bit (bit, not byte) length of unpadded message as 64-bit little-endian integer to message

30. //Process the message in successive 512-bit chunks:
for each 512-bit chunk of message
break chunk into sixteen 32-bit little-endian words X[i], 0 ≤ i ≤ 15
//Initialize hash value for this chunk:
var int a := h0
var int b := h1
var int c := h2
var int d := h3

31. //Main loop:
for i from 0 to 63
if 0 ≤ i ≤ 15 then
g:= (b and c) or ((not b) and d)
p := i
else if 16 ≤ i ≤ 31
g := (d and b) or ((not d) and c)
p := (5×i + 1) mod 16
else if 32 ≤ i ≤ 47
g := b xor c xor d
p := (3×i + 5) mod 16
else if 48 ≤ i ≤ 63
g := c xor (b or (not d))
p := (7×i) mod 16

32. temp := d
d := c
c := b
b := b + leftrotate((a + g + T[i] + X[p]) , r[i])
a := temp
//Add this chunk's hash to result so far:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
var int digest := h0 append h1 append h2 append h3 //(expressed as little-endian)
//leftrotate function definition
leftrotate (x, c)
return (x << c) or (x >> (32-c));

33. Secure Hash Algorithm (SHA)
Developed by NIST (National Institute of Standards and Technology)
Published as a FIPS PUB 180 in 1993
A revised version is issued as FIPS PUB 180-1
Generally referred to as SHA-1
Input: a message with a maximum length of less than bits
Output: 160-bit message digest
32-bit word units, 512-bit blocks
4 rounds  20 steps per block
Closely models MD4
Slower, stronger than MD5

34. SHA Algorithm The overall structure and logic is similar to MD5
Step 1: Append padding bits
Step 2: Append length
Step 3: Initialize MD buffer
160-bit buffer (five 32-bit registers A,B,C,D,E) is used to hold intermediate and final results of the hash function
A,B,C,D,E are initialized to the following values
A,B,C,D = same as in MD5, E = C3D2E1F0
Stored in big-endian format (most significant byte of a word in the low-address byte position)
E.g. word E: C3 D2 E1 F0 (low address … high address)

35. SHA Algorithm Step 4: Process message in 512-bit (16-word) blocks
Heart of the algorithm called a compression function
Consists of 4 rounds of processing of 20 steps each
The 4 rounds have a similar structure, but each uses a different primitive logical functions, referred to as f1, f2, f3, and f4
Each round takes as input the current 512-bit block (Yq), 160-bit buffer value ABCDE and updates the contents of the buffer
Each round also uses the additive constants Kt, where 0  t  79 indicates one of the 80 steps across 4 rounds
In fact only 4 constants are used:
The output of 4th round (80th step) is added to the CVq to produce CVq+1
Step Number Hexadecimal Ineteger Part of
0  t  19 Kt = 5A [230  2]
20  t  39 Kt = 6ED9EBA1 [230  3]
40  t  59 Kt = 8F1BBCDC [230  5]
60  t  79 Kt = CA62C1D6 [230  10]

36. SHA-1 processing of a single
512-bit block
(SHA-1 compression function)

37. Elementary SHA operation (single step)

38. Each primitive function takes three 32-bit words as input and produces a 32-bit word output
Each function performs a set of bitwise logical operations
Step Function Name Function Value
( 0  t 19) f1 = f(t,B,C,D) (B  C)  (B’  D)
(20  t 39) f2 = f(t,B,C,D) B  C  D
(40  t 59) f3 = f(t,B,C,D) (B  C)  (B  D)  (C  D)
(60  t 79) f4 = f(t,B,C,D) B  C  D
Truth table
B C D f1 f2 f3 f4

39. Note: All variables are unsigned 32 bits and wrap modulo 232 when calculating
Initialize variables:
h0 := 0x
h1 := 0xEFCDAB89
h2 := 0x98BADCFE
h3 := 0x
h4 := 0xC3D2E1F0
Pre-processing:
append the bit '1' to the message
append k bits '0', where k is the minimum number >= 0 such that the resulting message
length (in bits) is congruent to 448 (mod 512)
append length of message (before pre-processing), in bits, as 64-bit big-endian integer
Process the message in successive 512-bit chunks:
break message into 512-bit chunks

40. for each chunk
break chunk into sixteen 32-bit big-endian words w[i], 0 ≤ i ≤ 15
Extend the sixteen 32-bit words into eighty 32-bit words:
for i from 16 to 79
w[i] := (w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]) leftrotate 1
Initialize hash value for this chunk:
a := h0
b := h1
c := h2
d := h3
e := h4

41. Main loop:
for i from 0 to 79
if 0 ≤ i ≤ 19 then
f := (b and c) or ((not b) and d)
k := 0x5A827999
else if 20 ≤ i ≤ 39
f := b xor c xor d
k := 0x6ED9EBA1
else if 40 ≤ i ≤ 59
f := (b and c) or (b and d) or (c and d)
k := 0x8F1BBCDC
else if 60 ≤ i ≤ 79
k := 0xCA62C1D6
temp := (a leftrotate 5) + f + e + k + w[i]
e := d
d := c
c := b leftrotate 30
b := a
a := temp

42. Add this chunk's hash to result so far:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
h4 := h4 + e
Produce the final hash value (big-endian):
digest = hash = h0 append h1 append h2 append h3 append h4
The following equivalent expressions may be used to compute f in the main loop above:
(0 ≤ i ≤ 19): f := d xor (b and (c xor d)) (alternative)
(40 ≤ i ≤ 59): f := (b and c) or (d and (b or c)) (alternative 1)
(40 ≤ i ≤ 59): f := (b and c) or (d and (b xor c)) (alternative 2)
(40 ≤ i ≤ 59): f := (b and c) + (d and (b xor c)) (alternative 3