Unformatted text preview: ft (X,Y,Z ) = X • Y • Z, for t = 60 to 79. Four constants are used in the algorithm: Kt = 0x5a827999, for t = 0 to 19. Kt = 0x6ed9eba1, for t = 20 to 39. Kt = 0x8f1bbcdc, for t = 40 to 59. Kt = 0xca62c1d6, for t = 60 to 79. (If you wonder where those numbers came from: 0x5a827999 = 21/2 /4, 0x6ed9eba1 = 31/2 /4, 0x8f1bbcdc = 51/2 /4, and 0xca62c1d6 = 101/2 /4; all times 232.) The message block is transformed from 16 32bit words (M0 to M15 ) to 80 32bit words (W0 to W79) using the following algorithm: Wt = Mt, for t = 0 to 15 Wt = (Wt 3 • Wt  8 • Wt  14 • Wt  16 ) <<< 1, for t = 16 to 79. (As an interesting aside, the original SHA specification did not have the left circular shift. The change “corrects a technical flaw that made the standard less secure than had been thought” [543]. The NSA has refused to elaborate on the exact nature of the flaw.) If t is the operation number (from 0 to 79), Wt represents the t th subblock of the expanded message, and <<< s represents a left circular shift of s bits, then the main loop looks like: FOR t = 0 to 79 TEMP = (a <<< 5) + ft (b,c,d) + e + Wt + Kt e=d d=c c = b <<< 30 b=a a = TEMP Figure 18.7 One SHA operation. Figure 18.7 shows one operation. Shifting the variables accomplishes the same thing as MD5 does by using different variables in different locations. After all of this, a, b, c, d, and e are added to A, B, C, D, and E respectively, and the algorithm continues with the next block of data. The final output is the concatenation of A, B, C, D, and E. Security of SHA
SHA is very similar to MD4, but has a 160bit hash value. The main changes are the addition of an expand transformation and the addition of the previous step’s output into the next step for a faster avalanche effect. Ron Rivest made public the design decisions behind MD5, but SHA’s designers did not. Here are Rivest’s MD5 improvements to MD4 and how they compare with SHA’s: 1. “A fourth round has been added.” SHA does this, too. However, in SHA the fourth round uses the same f function as the second round. 2. “Each step now has a unique additive constant.” SHA keeps the MD4 scheme where it reus...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details