applied cryptography - protocols, algorithms, and source code in c

Next the expanded message is divided up into 64 bit

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: on purposes only [767]. Its basic structure is a variant of the underlying block cipher (DES in the reference) in CBC mode. The last two ciphertext blocks and a constant are XORed to the current message block and encrypted by the algorithm. The hash is the last two ciphertext blocks computed. The message is processed twice, with two different keys, so the hash function has a hash rate of ½. The first key is 0x0000000000000000, the second key is 0x2a41522f4446502a, and c is 0x0123456789abcdef. The result is compressed to a single 128-bit hash value. See [750] for the details. Hi = EK (Mi • Hi- 1 • Hi- 2 • c ) • Mi This sounds interesting, but it is insecure. After considerable preprocessing, it is possible to find collisions for this hash function easily [416]. Figure 18.14 MDC-4. GOST Hash Function This hash function comes from Russia, and is specified in the standard GOST R 34.11-94 [657]. It uses the GOST block algorithm (see Section 14.1), although in theory it could use any block algorithm with a 64-bit block size and a 256-bit key. The function produces a 256-bit hash value. The compression function, Hi = f(Mi,Hi-1) (both operands are 256-bit quantities) is defined as follows: (1) Generate four GOST encryption keys by some linear mixing of Mi, Hi - 1, and some constants. (2) Use each key to encrypt a different 64 bits of Hi- 1 in ECB mode. Store the resulting 256 bits into a temporary variable, S. (3) Hi is a complex, although linear, function of S, Mi, and Hi- 1. The final hash of M is not the hash of the last block. There are actually three chaining variables: Hn is the hash of the last message block, Z is the sum mod 2256 of all the message blocks, and L is the length of the message. Given those variables and the padded last block, M', the final hash value is: H = f(Z • M', f(L, f(M’,Hn))) The documentation is a bit confusing (and in Russian), but I think all that is correct. In any case, this hash function is specified for use with the Russian Digital Signature Standard (see Section 20.3). Previous Table of Contents Next Products | Contact Us...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online