22‐Jul‐20

Cryptographic Hash
Functions
MACs, Digital Signatures, Hash Functions and Digital
Certificates

Message: M
H: Hash
Function

Message Digest D
D = H(M)

Who are You?

1
22‐Jul‐20

2
 22‐Jul‐20

Why Digital Signatures?

Security of document requires

• Authenticity

• Confidentiality

• Integrity

• Non‐repudiation

3
 22‐Jul‐20

Solutions Offered
Physical World Electronic World

Authenticity Notaries, Physical Digital Signature

Presence, Photo ID card

Privacy & Envelopes Encryption

Confidentiality

Signatures, Barcodes, Digital Signature

Integrity
Watermarks, Sealed
letter
Notarized signature, Digital Signature
Non‐
Receipts
Repudiation
&Confirmations

Secret Key How to?

Original Text Secret key Encrypted Text

+ =

Encryption

Encrypted Text Secret key Original Text

+ =

Decryption

4
 22‐Jul‐20

Secret‐Key Problem?
• All keys need to be
replaced, if one key is
compromised.
• Not practical for the
Internet environment.
• On the other hand,
the encryption speed
is fast.
• Suitable to encrypt
your personal data.

Public‐Private Encryption
Public key
Public key stored in the directory

First, create public Public Key Directory

and private key

Private key

Public Key
Private key

Private key stored in

your personal computer

5
 22‐Jul‐20

Message Encryption
(User A sends message to User B)

Public Key Directory

User B’s Public Key

Encrypted
Text
Text
Encryption

User A

Transfer Encrypted Data

User A User B

Encrypted Encrypted
Text Text

Insecure Channel

6
 22‐Jul‐20

Decryption with your Private key

Encrypted Private key stored in
Text your personal computer

User B
User B’s
Private key
Decryption

Original Text

Why Digital signatures

• Everyone has different keys
• Each entity has a Key Pair, i.e., Public/Private Key
Originators Validated
Private Key Document
Private
Originators
Public Key

Public
Crypto Engine
Original Crypto Engine
Document

Signed
Document

But How does B know that it’s A’s public key?

7
 22‐Jul‐20

Digital Signature
• Digital signature can be used in all electronic
communications
• Web, e‐mail, e‐commerce
• It is an electronic stamp or seal that append to the
document.
• Ensure the document being unchanged during
transmission.

15

How digital Signature works?

User A Transmit via the Internet

Use A’s private key to sign the document

User B received
the document with
Verify the signature signature attached
by A’s public key stored
at the directory
User B

8
 22‐Jul‐20

Digital Signature Generation and

Verification
Message Sender Message Receiver

Message Message

Hash function Hash function

Public
Key
Digest

Private
Encryption Decryption
Key

Signature Expected Digest Digest

Requirements for a Digital

Signature
1. The signature must be a bit pattern that depends on the
message being signed
2. The signature must use some information unique to the
sender, to prevent both forgery and denial.
3. It must be relatively easy to produce digital signature.
4. It must be relatively easy to recognize and verify the digital
signature.
5. It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an existing
digital signature or by constructing a fraudulent digital
signature for a given message.
6. It must be practical to retain a copy of the digital signature in
storage.

18

9
 22‐Jul‐20

What is a hash function?

• A hash function H is a transformation that takes an
input m and returns a fixed‐size string, which is
called the hash value h (that is, h = H(m)).
• Hash functions with just this property have a
variety of general computational uses, but when
employed in cryptography, the hash functions are
usually chosen to have some additional properties.

19

Hash Functions
• A hash function H accepts a variable‐length block of
data M as input and produces a fixed‐size hash value
• h = H(M)
• Principal object is data integrity
• Cryptographic hash function
• An algorithm for which it is computationally infeasible to find
either:
(a) a data object that maps to a pre‐specified hash result (the one‐
way property)

(b) two data objects that map to the same hash result
(the collision‐free property)

10
22‐Jul‐20

11
 22‐Jul‐20

Message authentication
• A mechanism or service used to verify the integrity
of a message.
• Message authentication assures that data received
are exactly as sent.

Source A Destination B
H
M || E D M
Compare
K K
E(K, [M || H(M)])
H
H(M)
(a)

H
M || M

K K Compare

H E D
(b) E(K, H(M))

M || M || H
S
Compare

S || H H(M || S)
(c)

M || E D M || H
S
Compare
K K
E(K, [M || H(M || S)])
S || H
(d) H(M || S)

Figure 11.3 Simplified Examples of the Use of a

Hash Function for Message Authentication

12
 22‐Jul‐20

Hash function for message

authentication
Source

M || E

H K E(K,M||H(M))

H
D M
Compare
H(M)
K
Destination

Hash function for message

authentication (Cont.)
Source Destination

H
M || M
K K Compare

H E D
E(K,H(M))

13
 22‐Jul‐20

Hash function for message

authentication (Cont.)
Source Destination

S || H
M || M
Compare

S || H H(M||S)

Hash function for message

authentication (Cont.)
Source
M || E

K
S || H E(KM||H(M||S
))

S || H
D M
Compare

K
H(M||S) Destination

14
 22‐Jul‐20

Message Authentication Code

(MAC)
• Also known as a keyed hash function
• Typically used between two parties that share a
secret key to authenticate information exchanged
between those parties

Takes as input a secret key and a data block and produces a hash
value (MAC) which is associated with the protected message
• If the integrity of the message needs to be checked, the MAC
function can be applied to the message and the result compared
with the associated MAC value
• An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key

Message
Authentication Using
Plain Encryption

30

15
 22‐Jul‐20

Conventional Encryption for

Signatures and MACs
• There is no shortage of good message authentication codes,
beginning with DES‐MAC, as defined in FIPS PUB 113.
• Conventional (symmetric) encryption could be used for
digital signatures ‐ DESMAC specified by FIPS
• However, message authentication codes based on
encryption functions such as DES, which were designed for
hardware implementation, may be somewhat limited in
performance for soft‐ware, and there is also the question of
U.S. export restrictions on encryption functions.

31

Conventional Encryption for MACs

• When secret key cryptography is used, a message
authentication code (MAC) is calculated from and appended to
the data.
• To verify that the data has not been modified at a later time,
any party with access to the correct secret key can recalculate
the MAC. The new MAC is compared with the original MAC,
and if they are identical, the verifier has confidence that the
data has not been modified by an unauthorized party.
• FIPS 113, Computer Data Authentication, specifies a standard
technique for calculating a MAC for integrity verification.

Microsoft Word
32
Document

16
 22‐Jul‐20

DESMAC or DAA

Use CBC

O1=EK (D1)
O2=EK (D2 ⊕ O1)
O3=EK (D3 ⊕ O2)
.
.
.
ON=EK (DN ⊕ ON-1)

33

Use of Encryption for MAC

K

Encryption
Message Message Message
Algorithm

MAC

MAC MAC Compare

Encryption
K MAC
Algorithm

34

17
 22‐Jul‐20

Why not base MACs on

Encryption
• Message authentication codes based on encryption
functions are a bad idea because:
• Inefficiency of encryption algorithm in software
• US export restrictions
• Solution
• Use Message Digests or Use a one‐way hash function to
create a fixed size finger print of the variable sized
message.

Alice P, DA(MD(P)) Bob

35

Digital Signature
• Operation is similar to that of the MAC
• The hash value of a message is encrypted with a
user’s private key
• Anyone who knows the user’s public key can verify
the integrity of the message
• An attacker who wishes to alter the message would
need to know the user’s private key
• Implications of digital signatures go beyond just
message authentication

18
 22‐Jul‐20

Source A Destination B

H
M || M

PRa PUa Compare

H E D
(a) E(PRa, H(M))

H
M || E D M
PRa PUa Compare
K K
E(K, [M || E(PRa, H(M))])
H E D
E(PRa, H(M))
(b)

Figure 11.4 Simplified Examples of Digital Signatures

Hash function for digital signature

Source Destination

H
M || M
PRa PUa Compare

H E D
E(PRa,H(M))

19
 22‐Jul‐20

Hash function for digital signature

(Cont.)
Source
M || E
PRa
K E(K,[M||E(PRa,H(M))]
H E

H
D M
PUa Compare
K D
E(PRa,H(M))
Destination

Other Hash Function Uses

Can be used to construct a
Commonly used to create a Can be used for intrusion pseudorandom function
one‐way password file and virus detection (PRF) or a pseudorandom
number generator (PRNG)

When a user enters a Store H(F) for each file on

password, the hash of a system and secure the
that password is hash values
compared to the stored
hash value for
verification A common application
One can later determine
for a hash‐based PRF is
if a file has been modified
for the generation of
by recomputing H(F)
symmetric keys
This approach to
password protection is
used by most operating An intruder would need
systems to change F without
changing H(F)

20
 22‐Jul‐20

Two Simple Hash Functions

• Consider two simple insecure hash functions that operate
using the following general principles:
• The input is viewed as a sequence of n‐bit blocks
• The input is processed one block at a time in an iterative fashion to
produce an n‐bit hash function
• Bit‐by‐bit exclusive‐OR (XOR) of every block
• Ci = bi1 xor bi2 xor . . . xor bim
• Produces a simple parity for each bit position and is known as a
longitudinal redundancy check
• Reasonably effective for random data as a data integrity check
• Perform a one‐bit circular shift on the hash value after each
block is processed
• Has the effect of randomizing the input more completely and
overcoming any regularities that appear in the input

Two
Simple
Hash Functions

21
 22‐Jul‐20

Requirements for Cryptographic

Hash Functions
• The basic requirements for a
cryptographic hash function are as
follows.
• The input can be of any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for any
given x.
• H(x) is one‐way.
• H(x) is collision‐free.
43

H(x) is one‐way ...

• A hash function H is said to be one‐way if it is hard
to invert, where “hard to invert” means that given
a hash value h, it is computationally infeasible to
find some input x such that H(x) = h.

44

22
 22‐Jul‐20

H(x) is collision‐free ...

• If, given a message x, it is computationally
infeasible to find a message y not equal to x such
that H(x) = H(y), then H is said to be a weakly
collision‐free hash function.
• A strongly collision‐free hash function H is one for
which it is computationally infeasible to find any
two messages x and y such that H(x) = H(y).

45

Requirements and Security

• x is the preimage of h
for a hash value h = • Occurs if we have x ≠
H(x) y and H(x) = H(y)
• Is a data block whose • Because we are using
hash function, using
the function H, is h hash functions for
data integrity,
• Because H is a many‐
to‐one mapping, for collisions are clearly
any given hash value h, undesirable
there will in general be
multiple preimages

23
 22‐Jul‐20

Requirements for a Cryptographic

Hash Function H
Requirement Description
Variable input size H can be applied to a block of data of any
size.
Fixed output size H produces a fixed-length output.
Efficiency H(x) is relatively easy to compute for any
given x, making both hardware and software
implementations practical.
Preimage resistant (one-way property) For any given hash value h, it is
computationally infeasible to find y such that
H(y) = h.
Second preimage resistant (weak collision For any given block x, it is computationally
resistant) infeasible to find y ≠ x with H(y) = H(x).
Collision resistant (strong collision resistant) It is computationally infeasible to find any
pair (x, y) such that H(x) = H(y).
Pseudorandomness Output of H meets standard tests for
pseudorandomness

Second
preimage resistant

Preimage Collision
resistant resistant

Figure 11.6 Relationship Among Hash Function Properties

24
 22‐Jul‐20

Hash Function Resistance Properties

Required for Various Data Integrity
Applications
Preimage Resistant Second Preimage Collision Resistant
Resistant
Hash + digital yes yes yes*
signature
Intrusion detection yes
and virus detection
Hash + symmetric
encryption
One-way password yes
file
MAC yes yes yes*

* Resistance required if attacker is able to mount a chosen message attack

Attacks on Hash Functions

• Does not depend on the • An attack based on

specific algorithm, only weaknesses in a
depends on bit length
particular cryptographic
• In the case of a hash algorithm
function, attack
depends only on the bit • Seek to exploit some
length of the hash value property of the
• Method is to pick algorithm to perform
values at random and some attack other than
try each one until a an exhaustive search
collision occurs

25
 22‐Jul‐20

Collision Resistant Attacks

• For a collision resistant attack, an adversary wishes to find two
messages or data blocks that yield the same hash function
• The effort required is explained by a mathematical result referred to as the
birthday paradox
• Yuval proposed the following strategy to exploit the birthday paradox in
a collision resistant attack:
• The source (A) is prepared to sign a legitimate message x by appending the
appropriate m‐bit hash code and encrypting that hash code with A’s private key
• Opponent generates 2m/2 variations x’ of x, all with essentially the same
meaning, and stores the messages and their hash values
• Opponent prepares a fraudulent message y for which A’s signature is desired
• Opponent generates minor variations y’ of y, all of which convey essentially the
same meaning. For each y’, the opponent computes H (y’), checks for matches
with any of the H (x’) values, and continues until a match is found. That is, the
process continues until a y’ is generated with a hash value equal to the hash
value of one of the x’ values
• The opponent offers the valid variation to A for signature which can then be
attached to the fraudulent variation for transmission to the intended recipient
• Because the two variations have the same hash code, they will produce the same
signature and the opponent is assured of success even though the encryption key is
not known

A Letter
in 238
Variation
(Letter is located on page 330 in textbook)

26
 22‐Jul‐20

Y0 Y1 YL–1

b b b

n
IV = n f n f n n f CVL
CV0 CV1 CVL–1

IV = Initial value L = number of input blocks

CVi = chaining variable n = length of hash code
Yi = ith input block b = length of input block
f = compression algorithm

Figure 11.8 General Structure of Secure Hash Code

Hash Functions as Message

Digests
• The hash value represents concisely the longer
message or document from which it was
computed; this value is called the message digest.
• One can think of a message digest as a ``digital
fingerprint'' of the larger document.
• Examples of well known hash functions are MD2
and MD5 and SHA

54

27
 22‐Jul‐20

Message‐Digest How to

• A hash function is a math Original Message

equation that create a (Document, E-mail)
message digest from
message.
• A message digest is used
to create a unique digital Hash Function
signature from a
particular document.
• MD5 example Digest

MD5: Message Digest Version 5

input Message

Output 128 bits Digest

56

28
 22‐Jul‐20

MD5 Hash Function

• MD5 designed by Ron Rivest, MIT Laboratory for
Computer Science and RSA Data Security, Inc.
• MD5 documented in Request for Comments: 1321
dated April 1992

Rfc1321.txt
57

MD5 Box
512-bit message chunks (16 words)

Initial F: (xy)(~x  z)
128-bit vector G:(x  z) (y ~ z)
H:xy z
I: y(x  ~z)
+: binary sum
xy: x left rotate y bits

128-bit result 58

29
 22‐Jul‐20

MD5 Steps
• The following five steps are performed to compute
the message digest of the message.
• Step 1. Append Padding Bits
• Step 2. Append Length
• Step 3. Initialize MD Buffer
• Step 4. Process Message in 16‐Word Blocks
• Step 5. Output

59

Step 1. Append Padding Bits

• The message is "padded" (extended) so that its length
(in bits) is congruent to 448, modulo 512. That is, the
message is extended so that it is just 64 bits shy of
being a multiple of 512 bits long. Padding is always
performed, even if the length of the message is already
congruent to 448, modulo 512.
• Padding is performed as follows: a single "1" bit is
appended to the message, and then "0" bits are
appended so that the length in bits of the padded
message becomes congruent to 448, modulo 512. In all,
at least one bit and at most 512 bits are appended.

60

30
 22‐Jul‐20

MD5: Padding

1 2 3 4
input Message

512 bit block Padding

Initial Value
MD5 Transformation block by block

Output 128 bits Digest Final Output

61

Step 2. Append Length

• A 64‐bit representation of b (the length of the
message before the padding bits were added) is
appended to the result of the previous step. In the
unlikely event that b is greater than 2^64, then only
the low‐order 64 bits of b are used. (These bits are
appended as two 32‐bit words and appended low‐
order word first in accordance with the previous
conventions.)

62

31
 22‐Jul‐20

Step 3. Initialize MD Buffer

• A four‐word buffer
(A,B,C,D) is used to
compute the message
digest.
• Here each of A, B, C, D is
a 32‐bit register.
• These registers are
initialized to the
following values in
hexadecimal, low‐order
bytes first):
63

Step 4. Process Message in 16‐Word

Blocks (4 Rounds)

64

32
 22‐Jul‐20

Step 4. Continued(4
Rounds)

2(i) = (1 + 5i)mod 16
3(i) = (5 + 3i)mod 16
4(i) = 7i mod 16

65

Step 4. Round 1 and 2

66

33
 22‐Jul‐20

Step 4. Round 3 and 4

67

Step 4. Continued

68

34
 22‐Jul‐20

Step 4.
Continued

69

The MD5 Boolean Functions

The functions G, H, and I are similar to the function F, in that they
act in "bitwise parallel" to produce their output from the bits of X,
Y, and Z, in such a manner that if the corresponding bits of X, Y,
and Z are independent and unbiased, then each bit of G(X,Y,Z),
H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that
the function H is the bit-wise "xor" or "parity" function of its
inputs.

F (X, Y, Z) = XY or not (X) Z

G (X, Y, Z) = XZ or Y not (Z)
H (X, Y, Z) = X xor Y xor Z
I (X, Y, Z) = Y xor (X or not (Z))

70

35
 22‐Jul‐20

Step 5. Output
• The message digest produced as output is A, B, C,
D.
• That is, we begin with the low‐order byte of A, and
end with the high‐order byte of D.

71

Secure Hash Algorithm (SHA)

• SHA was originally designed by the National Institute of
Standards and Technology (NIST) and published as a
federal information processing standard (FIPS 180) in
1993
• Was revised in 1995 as SHA‐1
• Based on the hash function MD4 and its design closely
models MD4
• Produces 160‐bit hash values
• In 2002 NIST produced a revised version of the
standard that defined three new versions of SHA with
hash value lengths of 256, 384, and 512
• Collectively known as SHA‐2

36
 22‐Jul‐20

Comparison of SHA Parameters

Algorithm Message Size Block Size Word Size Message

Digest Size
SHA-1 < 264 512 32 160
SHA-224 < 264 512 32 224
SHA-256 < 264 512 32 256
SHA-384 < 2128 1024 64 384
SHA-512 < 2128 1024 64 512
SHA-512/224 < 2128 1024 64 224
SHA-512/256 < 2128 1024 64 256

Note: All sizes are measured in bits.

N 1024 bits
128 bits
L bits

Message 1000000 . . . 0 L

1024 bits 1024 bits 1024 bits

M1 M2 MN

F F F

+ + +

IV = H0 H1 H2 HN
hash code
512 bits 512 bits 512 bits

+ = word-by-word addition mod 2 64

Figure 11.9 Message Digest Generation Using SHA-512

37
 22‐Jul‐20

Mi Hi–1

message
schedule 64
a b c d e f g h
W0 K0
Round 0

a b c d e f g h
Wt Kt
Round t

a b c d e f g h
W79 K79
Round 79

+ + + + + + + +

Hi

Figure 11.10 SHA-512 Processing of a Single 1024-Bit Block

428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f

e9b5dba58189dbbc
3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b
ab1c5ed5da6d8118
d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c
550c7dc3d5ffb4e2
72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235
c19bf174cf692694
e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5
240ca1cc77ac9c65
2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4
76f988da831153b5
983e5152ee66dfab a831c66d2db43210 b00327c898fb213f

SHA‐512 bf597fc7beef0ee4
c6e00bf33da88fc2
142929670a0e6e70
d5a79147930aa725 06ca6351e003826f

Constants 27b70a8546d22ffc
53380d139d95b3df
650a73548baf63de
92722c851482353b
2e1b21385c26c926

766a0abb3c77b2a8
4d2c6dfc5ac42aed

81c2c92e47edaee6

a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791

c76c51a30654be30
d192e819d6ef5218 d69906245565a910 f40e35855771202a
106aa07032bbd1b8
19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99
34b0bcb5e19b48a8
391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373
682e6ff3d6b2b8a3
748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72
8cc702081a6439ec
90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915
c67178f2e372532b
ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e
f57d4f7fee6ed178
06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae
1b710b35131c471b (Table can
28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc be found
431d67c49c100d4c
on page
4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec
6c44198c4a475817 336 in
textbook)

38
 22‐Jul‐20

a b c d e f g h

Maj Ch +

  +

+ + Wt

+ + Kt

a b c d e f g h
512 bits

Figure 11.11 Elementary SHA-512 Operation (single round)

1024 bits W0 W1 W9 W14 Wt–16 Wt–15 Wt–7 Wt–2 W63 W65 W71 W76

Mi
0 1 0 1 0 1

+ + +

W0 W1 W15 W16 Wt W79

64 bits

Figure 11.12 Creation of 80-word Input Sequence

for SHA-512 Processing of Single Block

39
 22‐Jul‐20

The padded message consists blocks M1, M2, … MN. Each message block Mi consists of 16 64-
bit words Mi,0, Mi,1 … Mi,15. All addition is performed modulo 264.

H0,0 = 6A09E667F3BCC908 H0,4 = 510E527FADE682D1

H0,1 = BB67AE8584CAA73B H0,5 = 9B05688C2B3E6C1F
H0,2 = 3C6EF372FE94F82B H0,6 = 1F83D9ABFB41BD6B
H0,3 = A54FF53A5F1D36F1 H0,7 = 5BE0CDI9137E2179

for i = 1 to N
1. Prepare the message schedule W:
for t = 0 to 15
Wt = Mi,t
for t = 16 to 79
Wt   1512 Wt2   Wt7   0512 Wt15   Wt16
2. Initialize the working variables
a = Hi–1,0 e = Hi–1,4
b = Hi–1,1 f = Hi–1,5
c = Hi–1,2 g = Hi–1,6
d = Hi–1,3 h = Hi–1,7
3. Perform the main hash computation
for t = 0 to 79
T1 = h + Ch(e, f, g) +  e + W + K
512
1 t t

T2 = 0 512

a + Maj(a, b, c)
h = g
g = f
f = e
e = d + T1
d = c
c = b
b = a
a = T1 + T2
4. Compute the intermediate hash value
Hi,0 = a + Hi–1,0 Hi,4 = e + Hi–1,4
Hi,1 = b + Hi–1,1 Hi,5 = f + Hi–1,5
Hi,2 = c + Hi–1,2 Hi,6 = g + Hi–1,6
Hi,3 = d + Hi–1,3 Hi,7 = h + Hi–1,7
return {HN,0 || HN,1 || HN,2 || HN,3 || HN,4 || HN,5 || HN,6 || HN,7}

Figure 11.13 SHA-512 Logic

SHA‐3
SHA‐1 has not yet been "broken”
• No one has demonstrated a technique for
producing collisions in a practical amount
of time
• Considered to be insecure and has been
phased out for SHA‐2

NIST announced in 2007 a competition

for the SHA‐3 next generation NIST SHA‐2 shares the same structure and
hash function mathematical operations as its
predecessors so this is a cause for
• Winning design was announced by concern
NIST in October 2012
• Because it will take years to find a
• SHA‐3 is a cryptographic hash
suitable replacement for SHA‐2
function that is intended to
should it become vulnerable, NIST
complement SHA‐2 as the approved
decided to begin the process of
standard for a wide range of
developing a new hash standard
applications

40
 22‐Jul‐20

The Sponge Construction

• Underlying structure of SHA‐3 is a scheme referred to
by its designers as a sponge construction
• Takes an input message and partitions it into fixed‐size
blocks
• Each block is processed in turn with the output of each
iteration fed into the next iteration, finally producing an
output block
• The sponge function is defined by three parameters:
• f = the internal function used to process each input block
• r = the size in bits of the input blocks, called the bitrate
• pad = the padding algorithm

k r bits
n bits
message pad

r bits r bits r bits

P0 P1 Pk–1

(a) Input

l bits
r bits r bits r bits

Z0 Z1

Zj–1
(b) Output

Figure 11.14 Sponge Function Input and Output

41
 22‐Jul‐20

b b
r c r c
r c
0 0
r c r
c
P0 0 Z0

f f

P1 0c Z1

c
(b) Squeezing phase
P2 0

c
Pk–1 0

(a) Absorbing phase

Figure 11.15 Sponge Construction

SHA‐3 Parameters
Message 224 256 384 512
Digest Size
Message Size no maximum no maximum no maximum no maximum
Block Size 1152 1088 832 576
(bitrate r)
Word Size 64 64 64 64
Number of 24 24 24 24
Rounds
Capacity c 448 512 768 1024
Collision 2112 2128 2192 2256
resistance
Second 2224 2256 2384 2512
preimage
resistance
Note:All sizes and security levels are measured in bits.

42
 22‐Jul‐20

x=0 x=1 x=2 x=3 x=4

y=4 L[0, 4] L[1, 4] L[2, 4] L[3, 4] L[4, 4]

y=3 L[0, 3] L[1, 3] L[2, 3] L[3, 3] L[4, 3]

y=2 L[0, 2] L[1, 2] L[2, 2] L[3, 2] L[4, 2]

y=1 L[0, 1] L[1, 1] L[2, 1] L[4, 1] L[4, 1]

y=0 L[0, 0] L[1, 0] L[2, 0] L[3, 0] L[4, 0]

(a) State variable as 5 5 matrix A of 64-bit words

a[x, y, 0] a[x, y, 1] a[x, y, 2] a[x, y, z] a[x, y, 62] a[x, y, 63]

(b) Bit labeling of 64-bit words

Figure 11.16 SHA-3 State Matrix

theta  step

rho  step rot(x, y)

SHA‐3
Round 0

pi π step

Iteration chi  step

iota  step RC[0]

Function f
theta  step

rho  step rot(x, y)

Round 23

pi π step

chi  step

iota  step RC[23]

Figure 11.17 SHA-3 Iteration Function f

43
 22‐Jul‐20

Step Functions in SHA‐3

Function Type Description
New value of each bit in each word depends
its current value and on one bit in each word
θ Substitution
of preceding column and one bit of each word
in succeeding column.
The bits of each word are permuted using a
 Permutation
circular bit shift. W[0, 0] is not affected.
Words are permuted in the 55 matrix. W[0,
 Permutation
0] is not affected.
New value of each bit in each word depends
on its current value and on one bit in next
 Substitution
word in the same row and one bit in the
second next word in the same row.
W[0, 0] is updated by XOR with a round
 Substitution
constant.

x=0 x=1 x=2 x=3 x=4

y=4 L[0, 4] L[1, 4] L[2, 4] L[3, 4] L[4, 4]

y=3 L[0, 3] L[1, 3] L[2, 3] L[3, 3] L[4, 3]

y=2 L[0, 2] L[1, 2] L[2, 2] L[3, 2] L[4, 2]

y=1 L[0, 1] L[1, 1] L[2, 1] L[4, 1] L[4, 1]

y=0 L[0, 0] L[1, 0] L[2, 0] L[3, 0] L[4, 0]

L[2, 3] C[1] Lt[2, 3] ROT(C[3], 1)

(a) step function

x=0 x=1 x=2 x=3 x=4

y=4 L[0, 4] L[1, 4] L[2, 4] L[3, 4] L[4, 4]

y=3 L[0, 3] L[1, 3] L[2, 3] L[3, 3] L[4, 3]

y=2 L[0, 2] L[1, 2] L[2, 2] L[3, 2] L[4, 2]

y=1 L[0, 1] L[1, 1] L[2, 1] L[4, 1] L[4, 1]

y=0 L[0, 0] L[1, 0] L[2, 0] L[3, 0] L[4, 0]

L[2, 3] L[2, 3] L[3, 3] AND L[4, 3]

(b) step function

44
 22‐Jul‐20

x=0 x=1 x=2 x=3 x=4

2 4 1 3 0
row row row row row
2
y=4 Z[0, 4] Z[1, 4] Z[2, 4] Z[3, 4] Z[4, 4] row
y=3 Z[0, 3] Z[1, 3] Z[2, 3] Z[3, 3] Z[4, 3] w 4
ro
1
y=2 Z[0, 2] Z[1, 2] Z[2, 2] Z[3, 2] Z[4, 2] row
3
y=1 Z[0, 1] Z[1, 1] Z[2, 1] Z[3, 1] Z[4, 1] row
y=0 Z[0, 0] Z[1, 0] Z[2, 0] Z[3, 0] Z[4, 0]

(a) Lane position at start of step

x=0 x=1 x=2 x=3 x=4

y=4 Z[2, 0] Z[3, 1] Z[4, 2] Z[0, 3] Z[1, 4]

y=3 Z[4, 0] Z[0, 1] Z[1, 2] Z[2, 3] Z[3, 4]

y=2 Z[1, 0] Z[2, 1] Z[3, 2] Z[4, 3] Z[0, 4]

y=1 Z[3, 0] Z[4, 1] Z[0, 2] Z[1, 3] Z[2, 4]

y=0 Z[0, 0] Z[1, 1] Z[2, 2] Z[3, 3] Z[4, 4]

(b) Lane position after permutation

Figure 11.19 Pi Step Function

45
 22‐Jul‐20

Round Constants in SHA‐3

Round Constant Number Round Constant Numbe
(hexadecimal) of 1 bits (hexadecimal) of 1 bit
0 0000000000000001 1 12 000000008000808B 6
1 0000000000008082 3 13 800000000000008B 5
2 800000000000808A 5 14 8000000000008089 5
3 8000000080008000 3 15 8000000000008003 4
4 000000000000808B 5 16 8000000000008002 3
5 0000000080000001 2 17 8000000000000080 2
6 8000000080008081 5 18 000000000000800A 3
7 8000000000008009 4 19 800000008000000A 4
8 000000000000008A 3 20 8000000080008081 5
9 0000000000000088 2 21 8000000000008080 3
10 0000000080008009 4 22 0000000080000001 2
11 000000008000000A 3 23 8000000080008008 4

Summary
• Summarize the • Understand the
applications of differences among
preimage resistant,
cryptographic hash second preimage
functions resistant, and
collision resistant
• Explain why a hash properties
function used for • Present an overview
message of the basic structure
authentication needs of cryptographic hash
to be secured functions
• Describe how
• Understand the cipherblock chaining
operation of SHA‐512 can be used to
construct a hash
function

46