This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ious block. H0 = I, where I is a random initial value Hi = g(Mi,Hi- 1) • Mi • Hi- 1 The hash of the entire message is the hash of the last message block. The random initial value, I, can be any value determined by the user (even all zeros). The function g is a complicated one. Figure 18.2 is an overview of the algorithm. Initially, the 128-bit hash of the previous message block, Hi-1, has its 64-bit left half and 64-bit right half swapped; it is then XORed with a repeating one/zero pattern (128 bits worth), and then XORed with the current message block, Mi. This value then cascades into N(N = 8 in the figures) processing stages. The other input to the processing stage is the previous hash value XORed with one of eight binary constant values. Figure 18.2 Outline of N-Hash. One processing stage is given in Figure 18.3. The message block is broken into four 32-bit values. The previous hash value is also broken into four 32-bit values. The function f is given in Figure 18.4. Functions S0 and S1 are the same as they were in FEAL. S0(a,b) = rotate left two bits ((a + b) mod 256) S1(a,b) = rotate left two bits ((a + b + 1) mod 256) The output of one processing stage becomes the input to the next processing stage. After the last processing stage, the output is XORed with the Mi and Hi-1, and then the next block is ready to be hashed. Cryptanalysis of N- Hash
Bert den Boer discovered a way to produce collisions in the round function of N-Hash . Biham and Shamir used differential cryptanalysis to break 6-round N-Hash [169, 172]. Their particular attack (there certainly could be others) works for any N that is divisible by 3, and is more efficient than the birthday attack for any N less than 15. Figure 18.3 One processing stage of N-Hash. Figure 18.4 Function f. The same attack can find pairs of messages that hash to the same value for 12-round N-Hash in 256 operations, compared to 264 operations for a brute-force attack. N-hash with 15 rounds is safe from differential cryptanalysis: The at...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10