Section 12.6. Key Terms, Review Questions, and Problems

What is the difference between little-endian and big-endian format?

What basic arithmetical and logical functions are used in SHA?

What basic arithmetical and logical functions are used in Whirlpool?

Why has there been an interest in developing a message authentication code derived from a cryptographic hash function as opposed to one derived from a symmetric cipher?

What changes in HMAC are required in order to replace one underlying hash function with another?

In Figure 12.4, it is assumed that an array of 80 64-bit words is available to store the values of W_t so that they can be precomputed at the beginning of the processing of a block. Now assume that space is at a premium. As an alternative, consider the use of a 16-word circular buffer that is initially loaded with W₀ through W₁₅ Design an algorithm that, for each step t, computes the required input value W_t

For SHA-512, show the equations for the values of W₁₆,W₁₇, W₁₈, W₁₉

Suppose a₁ a₂ a₃ a₄ are the 4 bytes in a 32-bit word. Each a_i can be viewed as an integer in the range 0 to 255, represented in binary. In a big-endian architecture, this word represents the integer

a₁2²⁴ + a₂2¹⁶ + a₃2⁸ + a₄

In a little-endian architecture, this word represents the integer

a₄2²⁴ + a₃2¹⁶ + a₂2⁸ + a₁

1. Some hash functions, such as MD5, assume a little-endian architecture. It is important that the message digest be independent of the underlying architecture. Therefore, to perform the modulo 2 addition operation of MD5 or RIPEMD-160 on a big-endian architecture, an adjustment must be made. Suppose X = x₁ x₂ x₃ x₄ and Y = y₁ y₂ y₃ y₄. Show how the MD5 addition operation (X + Y) would be carried out on a big-endian machine.

2. SHA assumes a big-endian architecture. Show how the operation (X + Y) for SHA would be carried out on a little-endian machine.

This problem introduces a hash function similar in spirit to SHA that operates on letters instead of binary data. It is called the toy tetragraph hash (tth).^[5] Given a message consisting of a sequence of letters, tth produces a hash value consisting of four letters. First, tth divides the message into blocks of 16 letters, ignoring spaces, punctuation, and capitalization. If the message length is not divisible by 16, it is padded out with nulls. A four-number running total is maintained that starts out with the value (0, 0, 0, 0); this is input to the compression function for processing the first block. The compression function consists of two rounds. Round 1: Get the next block of text and arrange it as a row-wise 4 x 4 block of text and convert it to numbers (A = 0, B = 1, etc.). For example, for the block ABCDEFGHIJKLMNOP, we have:

^[5] I thank William K. Mason, of the magazine staff of The Cryptogram, for providing this example.

Then, add each column mod 26 and add the result to the running total, mod 26. In this example, the running total is (24, 2, 6, 10). Round 2: Using the matrix from round 1, rotate the first row left by 1, second row left by 2, third row left by 3, and reverse the order of the fourth row. In our example:

Now, add each column mod 26 and add the result to the running total. The new running total is (5, 7, 9, 11). This running total is now the input into the first round of the compression function for the next block of text. After the final block is processed, convert the final running total to letters. For example, if the message is ABCDEFGHIJKLMNOP, then the hash is FHJL.

1. Draw figures comparable to Figures 12.1 and 12.2 to depict the overall tth logic and the compression function logic.

2. Calculate the hash function for the 48-letter message "I leave twenty million dollars to my friendly cousin Bill."

3. To demonstrate the weakness of tth, find a 48-letter block that produces the same hash as that just derived. Hint: Use lots of A's.

Develop a table similar to Table 4.8 for GF(2⁸) with m(x) = x⁸ + x⁴ + x³ + x² + 1.

Show the E and E^-1 mini-boxes in Table 12.3 in the traditional S-box square matrix format, such as that of Table 5.4.

Verify that Figure 12.9 is a valid implementation of the S-box shown in Table 12.3a. Do this by showing the calculations involved for three input values: 00, 55, 1E.

Provide a Boolean expression that defines the S-box functionality of Figure 12.9.

Whirlpool makes use of the construction H_i = E(H_i-1,M_i) i-1 i-1 Another construction that was shown by Preneel to be secure is H_i = E(H_i-1,M_i) H_i-1,M_i)lines. Consider the encryption We could write the final round key for this block as K₁₀ = E(RC,H_i-1). Now show that the two hash constructions are essentially equivalent because of the way that the key schedule is defined.

At the beginning of Section 12.4, it was noted that given the CBC MAC of a one-block message X, say T = MAC(K,X),the adversary immediately knows the CBC MAC for the two-block message X|(X T. Justify this statement.

In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn't work. Let us consider this for the case of the message being an integer multiple of the block size. Then the variant can be expressed as VMAC(K,M) = CBC(K,M) 0 = 0ⁿ, where n is the cipher block size; the message 1 = 1ⁿ and the message 1||0. As a result of these three queries the adversary gets T₀ = CBC(K,0) T₁ = CBC(K,1) T₂ = CBC(K,[CBC(K,1)]) 0||(T₀

In the discussion of subkey generation in CMAC, it states that the block cipher is applied to the block that consists entirely of 0 bits. The first subkey is derived from the resulting string by a left shift of one bit, and, conditionally, by XORing a constant that depends on the block size. The second subkey is derived in the same manner from the first subkey.

1. What constants are needed for block sizes of 64 and 128 bits?

2. Explain how the left shift and XOR accomplishes the desired result.