——— Digiter Signatuas (¢. ommence] — Signafute’ proof efyfeln- Ly Rayrmmetic. ley Cvpplopep le an ie Juon count sanla a b Crees phien city private key rel Decryption wilh pobeleke Ly Wel fot Aukontitation ancl lone Repudbation Correct pasen Cannot dong “end a d i (gh Sip nature ) Aaistent x with | 'g pute beg pee “7 a 2 7 <9 or JEN Po key@®) 4 I cre Qafecabi be eal ~ [Pe TANG wijh Senalen's d brat | r 27/50 ei Pobticery | Alyn tam ei se | Plain tert ts | lid nol ) . — Receinen ji led Sproan ELGamAL va igites Signore Soho = Enayptin — Public “4 —ducy jon Puyivele 7 Scanned with CamScannera SPE rere Woking \- ( Sebeck-2q Prime member (4) O) Select a prtioniting dpot (X)oh 4’ 2, Geneate a stanclom dndeger © Xa) \o Xa 4U7! Xn CDeompute Yx = (A) mod 4, ©) Concrete Kags for wer @ Private leg — Ka Purrtic. egy => {4d ed © Conwiele hash code em fort the plain Lert (™ ) 7 HM) | Ocmei. ' @ Gurerals a Mander Setggort k rekog-1 ana ged (yd B= I @ Now cabeutate Sand SS, = ol m0 4 Se eo! (mm %aS1) OF go) (} Now won got The Sfgrduas pain fi 4.4) J B's SiAk, aaaane w cdledate y, aol Va Nye a ae Ve = y) (5) “aed 9 Yo ev -2p Signet une ig Walid ib WAVE => Nob Kabicl Scanned with CamScanner {Mes Exam : ee 9-19 ane A= /0 Now, Rendon Jabsgen Xm CI ECU!) 12 xn Sl? => Deze] Ya = noel 2 (10) moe! 4 zl You ; ; Ma DIE Oleg. pitty 3 ") ; 2 Ye 4 2 OU 10) Pusstic ber L44 Now genarate Aash code Cm) 9) ane hi) o&8mMedl of msl? @ Crenvale (16) odkeq-) al golcKig) =| Ok KEI? aro Bea Caen) . ES] 5 S Caleulalé g,2 ofmedg 7 (12) moe 19 = 3 { Scanned with CamScanner2 m= Xa) med dnd | x) | 11 29 RK med q7! 5x2 21 4 ps > § mod q-! Syl y 2S xQverdmedia) “Te 211) ce le“ (m= Xa Jrmrod ge) = \1 CM =16%3) mod 19 ny (14-43) mod I? -~3TYmod 17 S=4 6,8 2CS4) SO 5 £10 hod 14 216 ™ yz a modd eed Nee [v0] (s jaca Ad) xs"not 9 Gy x Bl mod ae SN EES LL a S1euUmod 14 \s 2 le | ae Signet {s wotot Scanned with CamScanner Now Nt=X mpc \ | mbbits es CAC LT MME NN ER A NR LE Nar Ci phos Bateo| MAc (CNAC ) UY hes me sire Linsl + Rareol om block Ciphers Ls giro mmemage. fs clinicles) into equal no oof bloc. j¢ Cocsplet aaa blocks aro) ach hw in (gaa rH GA ae le le oe or o & é %G co 4 athas Be Nae eq EL AD CG ee cH AOer)) a G C* in.0%)) eg (esa @ Om) Cr [soe 9 eff Tap most bits Scanned with CamScannerCohnoug digit! Sigrohus SChpine The Schunt [1s ba pea) On Curing 4 Prime wrookedocd Pr po) honing a Prin fac fo gh tapicte Pepe Siae) Heth 'S P-l Shoo q) WR WR 24 gt 92 ,/6 ae q , ap ae Pfs ayor4 dof number, Q uea /é0 bit quaben, by One A Gungrahon, - 1 Choose primey pars 4 sub thot 4 US pln Jere has KP gq such that aka jrod p. The whus 4, 2. Choose An dal: parol gq Comprire a lobed public. leg Hak co Become | to gree &4 Wer , | 2B. Choose & stanclom a ie og seg. Mists Feuscsel | pai vals ley. | ug, Caleulale V2 a*rcol p. This iste wrens pute keg | Slep2:- Hep cae Grenespbiory + 1, Choose a Hanelony fal: x with 06 H, @ sf is congo tn V rrodd Pr other oiSe sojecter! . Scanned with CamScanner0 . Mewes Sua cp Sopot Ness 11 3 Sr ‘ iz 1h Wy | [Hosa LE 1 Pat] "Oi a yory 02-4 vt Pecloti, Example. Cmsidey Sopot Memage “abe (Asc ods a- 47, b- 99, 44) Reptorent in dima oe Olloooo | ONO0Ol0 ON0001) L fateh fad4 ay 2378 ws M Leaginy 2 24 br : iI OG) aed ayes’ a 9 @ ae Neeolas4 myer ete = 39% wrod iy | N onal nF tos 896 oa wrod 10942 96 Li dad 292. Bik a maruaze such that Message tyr mod Jory 2 81 wep 992 Di fo be pactdea| - 1 bet fellowes by PHI zeae yas) 2G ON tg oljogee! Gllegole © 110001) ooo $US ik ah the Mrof ote dhe mesy fo 1296 Paol che orginek beng cA i olroo0 0! 000010 0110001) es i ge _linglh as Te, Hexa daci rel valur of 4 ic 1% 000.0000000000000 00000000000000 IP Scanned with CamScannerSSE R02 ‘Y How mr bits you baltl pao Jor inpet mestepe longi] Oh 249 bis > Meaea- bengin = = 816 mod 02-4 DAYT moe 0242 3e0 F516 9 Bua tS46 med (0247 aq peal 546 bi5 Chocn | Poltowses) Ciel’ Nessoge lengh i fs 2944, Adal de mensage.langh (2-499) 04 179 bits af 44 ene] Tolek bik widthe 2IN4FI2F = $0F® Jypry ©” This Is ee buf The N blocks Of Sige 102-4 SPE ra] Cm Das] food lord 1034 map apcae ta Scanned with CamScannerSECTION 122 SHA-SI2. 367 example, AES is a good candidate for this purpose. Figure 12.4 shows the Matyas Meyer-Oseas scheme. Figure 12.4 Matyas-Meyer-Oseas scheme Padded message: locks bits bits My Mi 7 Miyaguchi-Preneel Scheme The Miyaguchi-Preneel scheme is an extended ver- sion of Matyas-Meyer-Oseas. To make the algorithm stronger against attack, the plain- text, the cipher key, and the ciphertext are all exclusive-ored together to create the new digest. This is the scheme used by the Whirlpool hash function, Figure 12.5 shows the Miyaguchi-Preneel scheme. Figure 12.5 Miyaguchi-Preneel scheme Padded message: blocks bits bits bits é 12.2 SHA-512 : ‘SHA-512 is the version of SHA with a'512-bit message digest. This version, like the others in the SHA family of algorithms, is based on the Merkle-Damgard scheme. We have chosen this particular version for discussion because itis the latest version, it has a ‘more complex structure than the others, and its message digest is the longest. Once the structure of this version is understood, it should not be difficult to understand the struc- tures of the other versions. For characteristics of SHA-S12 see Table 12.1. Introduction ‘SHA-512 creates a digest of $12 bits from a multiple-block message. Each block is 1024 bits in length, as shown in Figure 12.6. Scanned with CamScanner1: OP aon gone pte 368 CHAPTER 12. CRYPTOGRAPHIC HASH FUNCTIONS Figure 12.6 Message digest creation SHA-512 Augmented message: multiple of 1024-bit blocks Block 1 Block? Block N 1024 bits 1024 bits . 1024 bits fsizbis}— S12 bis 512 bis] oa 512 bits} —f512 bits] Thitial v : Message value digest ‘The digest is initialized to a predetermined value of $12 bits. The algorithm mixes this initial value with the first block of the message to create the first intermediate mes- sage digest of 512 bits, This digest is then mixed with the second block to create the second intermediate digest, Finally, the (N~ I)th digest is mixed with the Nth block to create the Nth digest. When the last block is processed, the resulting digest is the mes- sage digest for the entire message. Message Preparation SHA-512 insists that the length of the original message be less than 2!8 bits. This means that if the length of a message is equal to or greater than 2128, it will not be pro- cessed by SHA-512. This is not usually a problem because 2'78 bits is probably larger than the total storage capacity of any system. ‘SHA-SI2 creates a $12-bit message digest out of a message less than 2178, Example 12.1 . ‘This example shows that the message length limitation of SHA-512 is not a serious problem. Suppose we need to send a message that is 28 bits in length. How long does it take for a com- ‘munications network with a data rate of 2 bits per second to send this message? Solution ‘A communications network that can send 2% bits per second is not yet available. Even ifit were, it would take many years to send this message, This tells us that we do not need to worry about the SHA-512 message length restriction. Example 12.2 This example also concerns the message length in SHA-S12. How many pages are occupied by a message of 2!78 bits? Scanned with CamScannerSECTION 12.2. SHA-SI2 369 Solution ‘Suppose that a characteris 64, or 2 bits. Each page See Ns Anette 2287240219 worry about the message length restriction. is less than 2048, or appr pages. This again shows that we need not Length Field and Padding Bofire the message digest can be created, SHA-$12 requires the addition of a 128-bit unsignedinteger length ficld to the message that defines the length of the message in bits. This isthe length of the original message before padding. An unsigned integer field of 128 bits can define a number between 0 and 2'28 — 1, which is the maximum Tength of the message allowed in SHA-S12. The length field defines the length of the ‘original message before adding the length field or the padding (Figure 12.7). Figure 12.7 Padding and length field in SHA-S12 Length < 28 Length: variable Length = 128 Original Padding message 1090000000... 00000 | Multiple of 1024 bits Before the addition of the length field, we need to pad the original message to make the length a multiple of 1024. We reserve 128 bits for the length field, as shown in Figure 12.7. The length of the padding field can be calculated as follows. Let [M] be the length of the original message and |P| be the length of the padding field. CR Te ‘The format of the padding is one 1 followed by the necessary number of Os. Example 12.3 ‘What is the number of padding bits if the length of the original message is 2590 bits? Solution ‘We can calculate the number of padding bits as follows: ‘The padding consists of one | followed by 353 0's, Example 12.4 ‘Do we need padding ifthe length of the original message is already a multiple of 1024 bits? Solution Yes we do, because we need to add the length field. So paddling is needed to make the new block ‘a multiple of 1024 bits. Scanned with CamScanner370 CHAPTER 12. CRYPTOGRAPHIC HASH FUNCTIONS ample 12.. What is the minimum and maximum number of padding bits that can be added to a message? Solution ‘8. The mininvum length of padding is 0 and it happens when (-M ~ 128) mod 1024 is 0. ‘This means that [M|=~128 mod 1024 = 896 mod 1024 bits. In other words, the last block in the original message is 896 bits, We add a 128-bit length field to make the block complete, b, The maximum length of padding is 1023 and it happens when (-[M| ~128) = 1023 mod 1024, This means that the length of the original message is |M| = (-128-1023) mod 1024 or the length is [M| = 897 mod 1024. In this case, we cannot just add the length field because the length of the last block exceeds one bit more than 1024, So we need to add 897 bits to complete this block and create a second block of 896 bits. Now the length can be added to make this block complete. Words SHA-512 operates on words; it is word oriented. A word is defined as 64 bits. This means that, after the padding and the length field are added to the message, each block of the message consists of sixteen 64-bit words. The message digest is also made of 64-bit words, but the message digest is only eight words and the words are named A, B, C, D, E, F, G, and H, as shown in Figure 12.8. Figure 12.8 4 message block and the digest as words 16 words, each of 64 bits= 1024 bits Message block o] Ts i I 8 words, each of 64 bits= $12 bits Message dget LAL® | CTD] e [Plo pa SHA-252 Is word-orlented. Each block Is 16 words; the digest is only 8 words. Word Expansion Before processing, each message block must be expanded, A block is made of 1024 bits, or sixteen 64-bit words. As we will see later, we need 80 words in the processing Phase, So the 16-word block needs to be expanded to 80 words, from Wo €0 Wy. Figs tre 12.9 shows the word-expansion process. The 1024-bit block becomes the first 16 Words; the rest of the words come from already-made words according to the operation shown in the figure Scanned with CamScannerSECTION 12.2 SHA-5I2. 371 Figure 12.9 Word expansion in SHA-S12 Wine Was Wer Wir PTT TOS FH | RIT. TAT] t v] Dil! RotShif (1); Rot (2) G RotRy (8) SHU, 2) RotR, (x): Right-rotation of the argument x by i bits ShL (xy: Shi eft of the argument x by /bis and padding the let by O's. Example 12.6 ‘Show how Wgo is made. Solution Each word in the range Wg t0 Wg is made from four previously-made words. Weg is made as ‘Woo = Was © RotShifty.s.7 (Was) © Ws; © RotShiftys 61.6 (Wse) Message Digest Initialization ‘The algorithm uses eight constants for message digest initialization, We call these con- stants Ag fo Hy to match with the word naming used for the digest. Table 12.2 shows the value of these constants. Table 12.2 Values of constants in message digest initialization of SHA-512 Buffer Value (in hexadecimal) | Buffer” | Value (in hexadecimal) ‘Ao GA0SES67FSBCC908 Ey 510B527FADE662D1 Bo BB67ABO584CAA733 Fo 9BOS688C2B3E6C1F Co 3C6EF372EF94F82B Gy 1FS3D9ABFB41BD6B Do ‘AS4FES3ASFID36F1 Hy ‘SBEOCD1913752179 The reader may wonder where these values come from. The values are calculated from the first eight prime numbers (2, 3, 5, 7, 11, 13, 17, and 19). Each value is the frac- tion part of the square root of the corresponding prime number after converting to binary and keeping only the first 64 bits. For example, the eighth prime is 19, with the square root (19)! = 4.35889894354, Converting the number to binary with only 664 bits in the fraction part, we get a oman Oda STS BRIE ILRI ES peed SHA-512 keeps the fraction part, (SBE0CD19137E2179)j6, as an unsigned integer. Scanned with CamScanneran CHAPTER 12 CRYPTOGRAPHIC HASH FUNCTIONS: Compression Function SHA-S12 creates a 512-bit (eight 64-bit words) message digest from a multiple-block message where cach block is 1024 bits, The processing of each block of data in SHA- S512 involves 80 rounds, Figure 12.10 shows the general outline for the compression function, In cach round, the contents of eight previous buffers, one word from the expanded block (W,), and one 64-bit constant (K;) are mixed together and then oper~ ited on to create a new set of eight buffers. ACthe beginning of processing, the values of the eight buffers are saved into eight temporary variables. At the end of the process: ing (after step 79), these values are added to the values ereated from step 79. We call this last operation the final adding, as shown in the figure. eee Figure 12.10 Compression function in SHA-S12 Results ofthe previous block othe inital digest Bled > [eal rlee? aL | ARAHAAHAAAE A Bipeup papeupFralen us ‘Vales forthe next blook or the final digest Scanned with CamScannerSECTION 12.2. SHA-SI2, 373 Structure of Each Round In each round, eight new values for the 64-bit buffers are ereated from the values of the buffers in the previous round. As Figure 12,11 shows, six buffers are the exact copies of cone of the buffers in the previous round as shown below: Sit ASB BSC C4D EsF FSG ‘Two of the new buffers, A and E, receive their inputs from some complex functions that involve some of the previous balers, the corresponding word for this round (W,), and the corresponding constant for this round (Kj). Figure 12.11 shows the structure of. each round, Figure 12.11 Structure ofeach round in SHA-512 Round x Y (oA) WE fee TTT] 2) Rotate (2) [AND y) @ GANDA @ AND) [ RorRs © Rois) © Retkin Conditional (x 942) AND») @ (NOTSAND B eatiton modo 24 RorR,(s): Rightrotation of the argument x by Tits eS ee Scanned with CamScanner374 CHAPTER 12 CRYPTOGRAPHIC HASH FUNCTIONS. There are two mixers three functions, and several operators. Each mixer combines ‘ovo functions. The description of the functions and operators follows: 1. The Majority function, as we call it, is a bitwise function. It takes three corre- sponding bits in three buffers (A, B, and C) and caleulates (AND B® (B/ANDG) @ (GANDA) ‘The resulting bit is the majority of three bit ing bit is 1; otherwise itis 0. 2. ‘The Conditional function, as we call it is also a bitwise function, It takes three cor- responding bits in three buffers (E, F, and G) and calculates (EJAND F)) ® (NOT EANDG) ‘The resulting bit isthe logic “IE; then Fj; else G;" 3. The Rotate function, as we call it, right-rotates the three instances of the same buffer (A or E) and applies the exclusive-or operation on the results. Rotate (A): Rothyq(A) ® RotRs4(A) ® Rotyg(A) Rotate (E): RotRyg(E) ® RotRy4(E) © RotRy(E) 4, The right-rotation function, RotRj(x), is the same as the one we used in the word- expansion process. It right-rotates its argument bits; itis actually a circular shift: right operation. 5. The addition operator used in the process is addition modulo 2, This means that the result of adding two or more buffers is always a 64-bit word. 6, There are 80 constants, Ko to Kyp, each of 64 bits as shown in Table 12.3 in hexa- decimal format (four in a row). Similar to the initial values for the eight digest buffers, these values are calculated from the frst 80 prime numbers (2, 3,.... 409). Iftwo or three bits are 1's, the result- Table 12.3 Eighty constants used for eighty rounds in SHA-512 “@zeazPoaD720aH22 [7137449329RF65CD | BSCOFBCYECADIB” |ESBSDBASBIO9DERC 395eczspr3ae53e |SoviiiFipsospois | sz3rsza4arisayse | aBicSEDSDASDS116 e07AA96A3030262 |12635B0i45706rBE | 243185EEAREABZEC |$50CTDCIDSFFBGEZ ‘yapesp74¥27B096F | eODRBIFE3B169681 | 9BDCO6A725C71235 |c19BFI74CRE92694 eopescisEri4an2 |EPBR(796304"25H3 | OFCi9DcseBEcDSBS | 240caicc77Ac9cES, ‘2DB9206759280275 |4A7484AAGEAGE483 | ScBOASDCEDAL¥EDA |76798eDAe3115305 se2esisaezespeap |as3icssp2D8¢3210 | B00327cs9arBzi3¥ | sP537¥C7BEEFOEES cezoonr22paserc2 |D5A72147990AA725 | o6cacssis003azéP |142929670x086870 2revoassasp2arRc |2E1821385¢26c926 | spaceDrcsacé2agD |53360D13sD9SB30F ss0a73Ssenareapz |766A0ABB3c7752A8 | 61c2c92E47"DARES |9272208514823538 AzBrEaiicr10364 | Agiasc4pBcs23001 | c2anan7on0res791 |c7écs1as0es4BE30 piszesispeers2is |pe99062assesas10 | r4oE35ass7712028 | 10¢aao7032BE0128 asasciispen2p0ce |12376c085141a853 | 274877AcDPEEED99 | 34BOBCBSELSBAEAS 382C0CB3C5C95A62 | AEDAAAAZI420ACB | SBSCCAAY7763E373 | 6e2EérF3DEE2B0A9 ‘yaarezeesperszrc | 7eas36r43172"60 | 94ce7a14aiFoas72 |ecc7oz0ezas439z¢ soperrraz3¢2an2e |adsoccespeszenes | BEr9a3¥7B2c67915 |c67170F289725320 caz73ecezaz66a9¢ |Dieenec72icocz07 | EADA7DDscDmORBIE |PS7D4F7FEEGEDI72 06r067AA72376¥BA |0AS370C5A2C89EA6 | 12379604BEFSODAE |15710535131C4718 26p877"523047D84 |32CAAB7B40C72493 | SC9EBEOAISC9BERC | 43zDs7C4scLOODIC accspspece3e42B6 |4597P299CFC657E2 | SFCBGFABIADGFAEC |6C44198C4AC75617 Scanned with CamScannerSECTION 12.2 SHA-S12 375 Each value is the fraction part of the cubic root of the corresponding prime number after converting it to binary and keeping only the first 64 bits. For example, the 80th prime is 409, with the cubic root (409)' = 7.42291412044, Converting this number to binary with only 64 bits in the fraction part, we get (11,0110 11000100 0100. .0111), 9 (7.6C44198C4A475817),g SHA-512 keeps the fraction part, (6C44198C4A475817) 6, a8 an unsigned integer. Example 12.7 We apply the Majority function on buffers A, B, and C, Ifthe leftmost hexadecimal digits of these buffers are Ox7, OxA, and OxE, respectively, what is the leftmost digit ofthe result? Solution ‘The digits in binary are 0111, 1010, and 1110. a, The first bits are 0, 1, and 1, The majofty is 1. We can also prove it using the definition of the Majority function: AND 1) @WUAND I SAND ROS Test b. The second bits are 1, 0, and 1, The majority is 1 . The third bits are 1, 1, and 1. The majority is 1. 4. The fourth bits are 1, 0, and 0. The majority is 0. ‘The result is 1110, or OxE in hexadecimal. Example 12.8 We apply the Conditional function on E, F, and G buffers. If the leftmost hexadecimal digits of these buffers are 0x9, OxA, and OxF respectively, what is the leftmost digit of the result? Solution The digits in binary are 1001, 1010, and 1111. a. The first bits are 1, 1, and 1. Since E, = 1, the result is F,, which is 1, We can also use the definition of the Condition function to prove the result: The second bits are 0, 0, and 1. Since Ep is 0, the result is Gp, which is 1. . The third bits are 0, 1, and 1, Since Bs is 0, the result is G3, which is 1. 4. The fourth bits are 1,0, and 1, Since E, is 1, the result is Fy, which is 0, ‘The result is 1110, or OXE in hexadecimal, Analy: With a message digest of $12 bits, SHA-S12 expected to be resistant to all attacks, including collision attacks. It has been claimed that this version’s improved design makes it more efficient and more secure than the previous versions. However, more research and testing are needed to confirm this claim, Scanned with CamScannerVaticbee eggeh foot) LAlmymmrmg ee mm) uy + Sanit 2 Sb bill —— rsh dyn (Seen) el > essays shading ye tel ly = 67uS230! : Az Mo = Eee wie coe EFCDABAI eel Ca ty, = asencnFé i a los2su76 veaeke ‘ 2c 3d2reifo <1 -c ABD + AND Kut 5A827999 OCtSI9 —7 & noon, genaesar mStesa > BOO >" Kaz = 6E DACD ge ieBcDe Yosh Sst > Bc AB? = iD Kato gneiDe Soct 79» BOO Kut = Ae ayo yO Meng Or oD Mea hg 9 Wo & D vig My @ hy Koobit 2 pe] nas voles tbe bits ) Scanned with CamScanner