12.

1 INTRODUCTION

Cryptographic hash function takes a message of arbitrary length and

creates a message digest of fixed length.

The two most promising cryptographic hash algorithms- SHA-512 and

Whirlpool.

Before discuss some general ideas that may be applied to any cryptographic hash
function.

.
Iterated Hash Function

All cryptographic hash functions need to create a fixed-size digest out of a

variable-size message.

Creating such a function is best accomplished using iteration.

Instead of using a hash function with variable-size input, a function with fixed-
size input is created and is used a necessary number of times.

The fixed-size input function is referred to as a compression function.

It compresses an n-bit string to create an m-bit string where n is normally

greater than m.

The scheme is referred to as an iterated cryptographic hash function.

.
Merkle-Damgard Scheme

The Merkle-Damgard scheme is an iterated hash function that is collision resistant if the
compression function is collision resistant.

.
Merkle-Damgard Scheme (contd)

The scheme uses the following steps:

1. The message length and padding are appended to the message to create an augmented
message that can be evenly divided into blocks of n bits, where n is the size of the block
to be processed by the compression function.

2. The message is then considered as t blocks, each of n bits. Call each block M 1, M2,…, Mt.

digest created at t iterations H1, H2,…, Ht.

3. Before starting the iteration, the digest H0 is set to a fixed value, normally called IV (initial
value or initial vector).

4. The compression function at each iteration operates on H i−1 and Mi to create a new Hi.
Hi = ƒ(Hi−1, Mi), where ƒ is the compression function.

5. Ht is the cryptographic hash function of the original message, that is, h(M).

.
If the compression function in the Merkle-Damgard scheme is
collision resistant, the hash function is also collision resistant.

.
 Two Groups of Compression Functions

Merkle-Damgard scheme is the basis for many cryptographic hash functions today.

Only thing we need to do is design a compression function that is collision resistant

and insert it in the Merkle-Damgard scheme.

Two different approaches in designing a hash function.

• First approach : compression function is made from scratch: it is particularly

designed for this purpose.

• Second approach : symmetric-key block cipher serves as a compression

function.

.
Hash Functions Made from Scratch

A set of cryptographic hash functions uses compression functions that are made from
scratch.

These compression functions are specifically designed for the purposes they serve.

Message Digest (MD)

 Several hash algorithms were designed by Ron Rivest.
 These are referred to as MD2, MD4, and MD5.
 The last version, MD5, is a strengthened version of MD4 that divides the message
into blocks of 512 bits and creates a 128-bit digest.
 Message digest of size 128 bits is too small to resist collision attack.

.
Secure Hash Algorithm (SHA)
 The Secure Hash Algorithm (SHA) is a standard that was developed by the National
Institute of Standards and Technology (NIST).
 It is sometimes referred to as Secure Hash Standard (SHS).
 The standard is mostly based on MD5.
 The standard was revised in 1995, which includes SHA-1.
 It was revised later, which defines 4 new versions: SHA-224, SHA-256, SHA-384, and
SHA-512.

All of these versions have the same structure

.
Other Algorithms
 RACE Integrity Primitives Evaluation Message Digest (RIPMED) has several
versions.
 RIPEMD-160 is a hash algorithm with a 160-bit message digest.
 RIPEMD-160 uses the same structure as MD5 but uses two parallel lines of
execution.
 HAVAL is a variable-length hashing algorithm with a message digest of size 128,
160, 192, 224, and 256.The block size is 1024 bits.

.
Hash Functions Based on Block Ciphers
An iterated cryptographic hash function can use a symmetric-key block cipher
as a compression function.

There are several secure symmetric-key block ciphers, such as triple DES or
AES, that can be used to make a one-way function.

The block cipher in this case only performs encryption.

Several schemes have been proposed.

one of the most promising, Whirlpool.

.
Rabin Scheme
The iterated hash function proposed by Rabin is very simple.

The Rabin scheme is based on the Merkle-Damgard scheme.

The compression function is replaced by any encrypting cipher.

The message block is used as the key;

Previously created digest is used as the plaintext. The ciphertext is the new
message digest.

The digest is the size of data block cipher in the underlying cryptosystem.

For example, if DES is used as the block cipher, the size of the digest is only 64
bits.

it is subject to a meet-in-the-middle attack, because the adversary can use the

decryption algorithm of the cryptosystem.

.
Rabin Scheme

Figure 12.2 Rabin scheme

.
Davies-Meyer Scheme

The Davies-Meyer scheme is basically the same as the Rabin scheme

except that it uses forward feed to protect against meet-in-the-middle attack.

Figure 12.3 Davies-Meyer scheme

.
Matyas-Meyer-Oseas Scheme

The scheme can be used if the data block and the cipher key are the same
size.

For example, AES is a good candidate for this purpose.

Figure 12.4 Matyas-Meyer-Oseas scheme

.
Miyaguchi-Preneel Scheme

Miyaguchi-Preneel scheme is an extended version of Matyas-Meyer-Oseas.

To make the algorithm stronger against attack, the plaintext, the cipher key,
and the ciphertext are all exclusive-ored together to create the new digest.

This is the scheme used by the Whirlpool hash function.

Figure 12.5 Miyaguchi-Preneel scheme

.
12.2 SHA-512

SHA-512 is the version of SHA with a 512-bit message digest.

This version, like others SHA family, is based on the Merkle-Damgard

scheme.

it is the latest version, it has a more complex structure than the others, and its
message digest is the longest.

.
12.2 SHA-512

For characteristics of SHA-512 see Table 12.1.

.
12.2 SHA-512
SHA-512 creates a digest of 512 bits from a multiple-block message.

Each block is 1024 bits in length.

Figure 12.6 Message digest creation SHA-512

.
12.2 SHA-512

The digest is initialized to a predetermined value of 512 bits.

The algorithm mixes this initial value with the first block of the message to
create the first intermediate message digest of 512 bits.

This digest is then mixed with the second block to create the second
intermediate digest.

Finally, the (N − 1)th digest is mixed with the Nth block to create the Nth digest.

When the last block is processed, the resulting digest is

the message digest for the entire message.

.
12.2 SHA-512

Message Preparation

SHA-512 insists that the length of the original message be less than 2128 bits.

This means that if the length of a message is equal to or greater than 2 128, it
will not be processed by SHA-512.

This is not usually a problem because 2128 bits is probably larger than the
total storage capacity of any system.

.
12.2 SHA-512

Message Preparation

128
SHA-512 creates a 512-bit message digest out of a message less than 2 .

.
 12.2 SHA-512
Length Field and Padding

Before the message digest can be created, SHA-512 requires the addition of a
128-bit unsigned-integer length field to the message that defines the length of the
message in bits.

This is the length of the original message before padding.

An unsigned integer field of 128 bits can define a number between 0 and 2128 − 1,
which is the maximum length of the message allowed in SHA-512.

The length field defines the length of the original message before adding the length field
or the padding (Figure 12.7).

.
12.2 SHA-512
Length Field and Padding

Figure 12.7 Padding and length field in SHA-512

.
12.2 SHA-512
Length Field and Padding

Before the addition of the length field, we need to pad the original message
to make the length a multiple of 1024.

The length of the padding field can be calculated as follows.

Let |M| be the length of the original message and |P| be the length of the
padding field.

The format of the padding is one 1 followed by the necessary number of 0s.

.
12.2 SHA-512
Length Field and Padding

What is the number of padding bits if the length of the original message is 2590
bits?

Solution

The padding consists of one 1 followed by 353 0’s.

.
12.2 SHA-512
Length Field and Padding

Example 12.4
Do we need padding if the length of the original message is already a multiple
of 1024 bits?

Solution
Yes we do, because we need to add the length field. So padding is needed to
make the new block a multiple of 1024 bits.

.
12.2 SHA-512
Example 12.5
What is the minimum and maximum number of padding bits that can be added to a
message?

Solution
a. The minimum length of padding is 0 and it happens when (−M − 128) mod 1024 is 0.
This means that |M| = −128 mod 1024 = 896 mod 1024 bits. In other words, the last
block in the original message is 896 bits. We add a 128-bit length field to make the
block complete.

b. The maximum length of padding is 1023 and it happens when (−|M| −128) = 1023
mod 1024. This means that the length of the original message is |M| = (−128 −1023)
mod 1024 or the length is |M| = 897 mod 1024. In this case, we cannot just add the
length field because the length of the last block exceeds one bit more than 1024. So
we need to add 897 bits to complete this block and create a second block of 896 bits.
Now the length can be added to make this block complete.

.
12.2 SHA-512
Words
SHA-512 operates on words; A word is defined as 64 bits.

After the padding and the length field are added to the message, each block of
the message consists of sixteen 64-bit words.

Message digest is also made of 64-bit words, but the message digest is only
eight words and the words are named A, B, C, D, E, F, G, and H.

.
12.2 SHA-512
Words

16*64=1024
8*64=512

.
12.2 SHA-512
Word Expansion

• Before processing, each message block must be expanded.

• A block is made of 1024 bits, or sixteen 64-bit words.

• We need 80 words in the processing phase.

• So the 16-word block needs to be expanded to 80 words, from W0

to W79.

.
12.2 SHA-512
Word Expansion
The 1024-bit block becomes the first 16 words;
The rest of the words come from already-made words according to the operation
shown in the figure.

Figure 12.9 Word expansion in SHA-512

.
12.2 SHA-512

Example 12.6
Show how W60 is made.

Solution

.
12.2 SHA-512

Message Digest Initialization

The algorithm uses 8 constants for message digest initialization.

Call these constants A0 to H0 to match with the word naming used for the digest.

.
 12.2 SHA-512

Values are calculated from the first 8 prime numbers (2, 3, 5, 7, 11, 13, 17, and 19).

Each value is the fraction part of the square root of the corresponding prime
number after converting to binary and keeping only the first 64 bits.

For example, the eighth prime is 19, with the square root (19)1/2 = 4.35889894354.

Converting the number to binary with only 64 bits in the fraction part, we get

SHA-512 keeps the fraction part, (5BE0CD19137E2179)16, as an unsigned integer

.
12.2 SHA-512

Compression Function
SHA-512 creates a 512-bit (eight 64-bit words) message digest from a multiple-
block message where each block is 1024 bits.

The processing of each block of data in SHA-512 involves 80 rounds.

Figure 12.10 shows the general outline for the compression function.

.
12.2 SHA-512 In each round, the contents of eight
previous buffers, one word from the
Compression Function expanded block (Wi), and one 64-
bit constant (Ki) are mixed together
and then operated on to create a
new set of eight buffers.

At the beginning of processing, the

values of the eight buffers are
saved into eight temporary
variables.

At the end of the processing (after

step 79), these values are added to
the values created from step 79.

We call this last operation the final

adding, as shown in the figure.

.
Structure of Each Round
In each round, eight new values for the 64-bit buffers are created from the
values of the buffers in the previous round.

As Figure 12.11 shows, six buffers are the exact copies of one of the buffers
in the previous round as shown below:

.
Structure of Each Round

Two of the new buffers, A and E, receive their inputs from some complex
functions that involve some of the previous buffers, the corresponding word for
this round (Wi), and the corresponding constant for this round (Ki).

Figure 12.11 shows the structure of each round.

.
Structure of Each Round
Figure 12.11 shows the structure of each round.

There are 2 mixers, 3

functions, and several
operators.

Each mixer combines two

functions.

.
Structure of Each Round
Figure 12.11 shows the structure of each round.

1. The Majority function is a bitwise

function.
It takes three corresponding bits in three
buffers (A, B, and C) and calculates

Resulting bit is the majority of 3 bits.

If 2 or 3 bits are 1’s, the resulting bit
is 1; otherwise it is 0.

.
Structure of Each Round

2. The Conditional function is also a

bitwise function.
It takes three corresponding bits in three
buffers (E, F, and G) and calculates

Resulting bit is the logic “If Ej then Fj;

else Gj”.

.
Structure of Each Round

3. The Rotate function right-rotates the 3

instances of the same buffer (A or E) and
applies the exclusive-or operation on the
results.

4. The right-rotation function, RotR i(x),

is the same as the one we used in the
wordexpansion process.
It right-rotates its argument i bits; it is
actually a circular shiftright operation.

5. The addition operator used in the

process is addition modulo 2 64.
This means that the result of adding two or
more buffers is always a 64-bit word.

.
Structure of Each Round

6. There are 80 constants, K0 to K79, each of 64 bits as shown in Table 12.3 in

hexadecimal format (four in a row).
Similar to the initial values for the eight digest buffers, these values are calculated
from the first 80 prime numbers (2, 3,…, 409).

.
Structure of Each Round

Each value is the fraction part of the cubic root of the corresponding prime
number after converting it to binary and keeping only the first 64 bits.

For example, the 80th prime is 409, with the cubic root (409)1/3 =
7.42291412044.

Converting this number to binary with only 64 bits in the fraction part, we get
(111.0110 1100 0100 0100 . . . 0111)2 → (7.6C44198C4A475817)16

SHA-512 keeps the fraction part, (6C44198C4A475817)16, as an unsigned

integer.

.
Structure of Each Round
Example 12.7
We apply the Majority function on buffers A, B, and C.

If the leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?

Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1. We can also prove it using the
definition of the Majority function:

b. The second bits are 1, 0, and 1. The majority is 1.

c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.

The result is 1110, or 0xE in hexadecimal.

.
Structure of Each Round

Example 12.8
We apply the Conditional function on E, F, and G buffers.

If the leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?

Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. Since E1 = 1, the result is F1, which is 1. We
can also use the definition of the Condition function to prove the result:

b. The second bits are 0, 0, and 1. Since E2 is 0, the result is G2, which is 1.
c. The third bits are 0, 1, and 1. Since E3 is 0, the result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. Since E4 is 1, the result is F4, which is 0.
The result is 1110, or 0xE in hexadecimal.

.
12.3 WHIRLPOOL

Is an iterated cryptographic hash function, based on the Miyaguchi-Preneel

scheme.

Uses a symmetric-key block cipher in place of the compression function.

Block cipher is a modified AES cipher that has been tailored for this purpose.

Designed by Vincent Rijmen and Paulo S. L. M. Barreto.

Endorsed by the New European Schemes for Signatures, Integrity, and

Encryption (NESSIE).

.
12.3 WHIRLPOOL

Figure 12.12 Whirlpool hash function

.
12.3 WHIRLPOOL

Preparation

Whirlpool requires that the length of the original message be less than 2256
bits.

A message needs to be padded before being processed.

The padding is a single 1-bit followed by the necessary numbers of 0-bits to

make the length of the padding an odd multiple of 256 bits.

After padding, a block of 256 bits is added to define the length of the original
message.

After padding and adding the length field, the augmented message size is an
even multiple of 256 bits or a multiple of 512 bits.

.
 12.3 WHIRLPOOL

Whirlpool creates a digest of 512 bits from a multiple 512-bit block message.

The 512-bit digest, H0, is initialized to all 0’s.

This value becomes the cipher key for encrypting the first block.

The ciphertext resulting from encrypting each block becomes the cipher key for the
next block after being exclusive-ored with the previous cipher key and the plaintext
block.

Message digest is the final 512-bit ciphertext after the last exclusive-or operation.

.
Whirlpool Cipher

The Whirlpool cipher is a non-Feistel cipher like AES.

Here the Whirlpool cipher is compared with the AES cipher and their differences
are mentioned.

Rounds
Whirlpool is a round cipher that uses 10 rounds.

The block size and key size are 512 bits.

The cipher uses 11 round keys, K0 to K10, each of 512 bits.

.
 Figure 12.13 General idea of the Whirlpool cipher

Figure 12.13 shows the general design of the Whirlpool cipher.

.
States and Blocks

Like the AES cipher, the Whirlpool cipher uses states and blocks.

However, the size of the block or state is 512 bits.

A block is considered as a row matrix of 64 bytes; a state is considered as a

square matrix of 8 × 8 bytes.

.
 Figure 12.14 Block and state in the Whirlpool cipher

Unlike AES, the block-to-state or stateto- block transformation is done row by row.

.
Structure of Each Round
Figure 12.15 shows the structure of each round. Each round uses four
transformations.

.
SubBytes Like in AES, SubBytes provide a nonlinear transformation.

A byte is represented as two hexadecimal digits.

Left digit defines the row and right digit defines the column of the substitution
table.

Two hexadecimal digits at the junction of the row and the column are the new
byte.

Figure 12.16 SubBytes transformations in the Whirlpool cipher

.
In the SubBytes transformation, the state is treated as an 8 × 8 matrix of bytes.

Transformation is done one byte at a time.

The contents of each byte are changed, but the arrangement of the bytes in
the matrix remains the same.

Table 12.4 shows the substitution table (S-Box) for SubBytes transformation.

The transformation definitely provides confusion effect.

.
For example, two bytes, 5A16 and 5B16, which differ only in one bit (the rightmost bit), are
transformed to 5B16 and 8816, which differ in five bits.

.
ShiftColumns

To provide permutation, Whirlpool uses the ShiftColumns transformation, which

is similar to the ShiftRows transformation in AES, except that the columns
instead of rows are shifted.

Shifting depends on the position of the column.

Column 0 goes through 0-byte shifting (no shifting), while column 7 goes
through 7-byte shifting.

.
MixRows

The MixRows transformation has the same effect as the MixColumns

transformation in AES: it diffuses the bits.

The MixRows transformation is a matrix transformation where bytes are

interpreted as 8-bit words (or polynomials) with coefficients in GF(2).

Multiplication of bytes is done in GF(28), but the modulus is different from the
one used in AES.

The Whirlpool cipher uses (0x11D) or (x8 + x4 + x3 + x2 + 1) as the modulus.

Addition is the same as XORing of 8-bit words.

.
Figure 12.19 MixRows transformation in the Whirlpool cipher

.
AddRoundKey

The AddRoundKey transformation in the Whirlpool cipher is done byte by byte,

because each round key is also a state of an 8 × 8 matrix.

A byte from the data state is added, in GF(28) field, to the corresponding byte in
the round-key state.

The result is the new byte in the new state.

Figure 12.20 AddRoundKey transformation in the Whirlpool cipher

.
Key Expansion
Key-expansion algorithm in Whirlpool is totally different from the algorithm in
AES.

Instead of using a new algorithm for creating round keys, Whirlpool uses a copy of the
encryption algorithm (without the pre-round) to create the round keys.

The output of each round in the encryption algorithm is the round key for that round.

Whirlpool uses ten round constants (RCs) as the virtual round keys for the keyexpansion
algorithm.

In other words, the key-expansion algorithm uses constants as the round keys and the
encryption algorithm uses the output of each round of the keyexpansion algorithm as the
round keys.

The key-generation algorithm treats the cipher key as the plaintext and encrypts it.

Note that the cipher key is also K0 for the encryption algorithm

.
.
Round Constants Each round constant, RCr is an 8 × 8 matrix where only the first row has
non-zero values.

The rest of the entries are all 0’s.

The values for the first row in each constant matrix can be calculated using the SubBytes
transformation (Table 12.4).

.
In other words, RC1 uses the first eight entries in the SubBytes transformation table
[Table 12.4]; RC2 uses the second eight entries, and so on.

For example, Figure 12.22 shows RC3, where the first row is the third eight entries in
the SubBytes table.

Figure 12.22 Round constant for the third round

.
Summary
Table 12.5 summarizes some characteristics of the Whirlpool cipher.

.
Analysis
Although Whirlpool has not been extensively studied or tested, it is based on
a robust scheme (Miyaguchi-Preneel), and for a compression function uses a
cipher that is based on AES, a cryptosystem that has been proved very
resistant to attacks.

In addition, the size of the message digest is the same as for SHA-512.

Therefore it is expected to be a very strong cryptographic hash function.

However, more testing and researches are needed to confirm this.

The only concern is that Whirlpool, which is based on a cipher as the

compression function, may not be as efficient as SHA-512, particularly when
it is implemented in hardware.

.
END