Hashå½æ° - å京大å¦è®¡ç®æºç§å¦ææ¯ç 究æ
Hashå½æ° - å京大å¦è®¡ç®æºç§å¦ææ¯ç 究æ
Hashå½æ° - å京大å¦è®¡ç®æºç§å¦ææ¯ç 究æ
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
密 码 学 基 础第 四 章 :Hash 函 数北 京 大 学朱 岩Yan.zhu@pku.edu.cn2010/10/15
内 容1. Hash 函 数 与 数 据 完 整 性2. Hash 函 数 安 全 性3. 迭 代 Hash 函 数4. 消 息 认 证 码5. 无 条 件 安 全 消 息 认 证 码 ( 选 修 )
作 业 Hash 函 数 与 数 据 完 整 性 , 安 全 性 4.1,4.5,4.6 迭 代 Hash 函 数 与 消 息 认 证 码 4.9,4.10
什 么 是 Hash 函 数 一 个 函 数 H(X)=Y 被 称 为 Hash 函 数 ,iff 随 机 性 : 输 出 Y 是 均 匀 分 布 的 单 向 性 : 给 定 Y 求 X 是 不 可 行 的 无 爪 性 : 无 法 有 效 找 到 不 同 X1,X2, 使 得 H(X1)=H(X2) 有 效 性 : 能 够 快 速 计 算
4.1 4.2 4.3 4.44.1 Hash¼ê†êâ5Hash¼êSŠ^µJøêâ5o§´êi/ «0§ ¡ žEÁ‡"Hash¼ê ¡ ü•Ñ¼ê"b½h´˜‡Hash¼ê"AliceéêâxOŽ§Hash¼êŠy = h(x)§, rxÏLØSÏux‰Bob§yÏLS ªu‰Bob"BobXey¤Âêâx ′´ÄtULµ{y = h(x ′ ¤áµ êâ?UL)ؤᵠêâv?UHash¼ê榵 B;§HashŠ7L´˜‡áꊧÏ~160'A"Hash¼êIéÑ\êâÝà ›"
4.1 4.2 4.3 4.44.1 Hash¼ê†êâ5?˜Ú¯KµXJAliceÓžrxÚy = h(x)ÏLØSÏux‰Bob§@oBobòÃ{Uìþã {yêâ´Ä?U§Ï 'æ^?ULx ′ “Ox§^y ′ = h(x ′ )“Oy")û YµAlice¦^—››Hash¼êhOŽy = h K (x)§— AliceÚBob¤§éÙ§
4.1 4.2 4.3 4.44.1 Hash¼ê†êâ5nþ¤ã§‰ÑHash¼êêƽµ½Â4.1˜‡Hashx´÷ve^‡o|(X , Y, K, H)µ1 X ´¤kŒUžE8Ü"2 Y´d¤kŒUžEÁ‡½@yI\¤k 8"3 K´—˜m§´¤kŒU—¤k 8"4 éz‡K ∈ K§3˜‡Hash¼êh K ∈ H§h K : X → Y"5µ‘—Hash¼êŒw¤—‡ê 1y = h k (x),x ∈ X , y ∈ Y, k ∈ K, h k ∈ H
4.1 4.2 4.3 4.44.1 Hash¼ê†êâ5ÙÆSSNµHash¼êS5Hash¼êS“E {ÚSHA-1Ž{žE@yèÃ^‡SžE@yè£Ñ¤
4.1 4.2 4.3 4.44.2 Hash¼êS5¯Kµ˜‡SHash¼êhT÷vŸo5Ÿº·‚ÄØ‘—hash¼êhµ‰½˜‡žEÁ‡y§OŽÑžEx÷vy = h(x)´(J"é?¿žEx§éÑ,˜žEx ′ ÷vh(x) = h(x ′ )´(J"Ø÷v±þ^‡‘5S¯KµXJMatinUOŽ±þ¯K§@o¦^x ′ “Ox§BobòÃ{uyžE?UL"
4.1 4.2 4.3 4.44.2 Hash¼êS5‡éÑü‡‘ÅžExÚx ′ §¦h(x) = h(x ′ )´(J"Ø÷v±þ^‡‘5S¯KµAliceŒ|^)FôÂТBobµ1 AliceO˜°ÜÓü«‡x 1 , x 2 §x 1 éBobk|§x 2 ò¦¦»"2 Aliceéx 1 , x 2 щØK ÙSN[‡?U£X\˜‚!ò‚¤§¿©OOŽÑŠ"3 AliceéÑx 1 , x 2 ?U‡¥hashŠ˜—ü‡‡x1 ′, x 2 ′§=÷vh(x1 ′) = h(x 2 ′)"4 Alice4Bobéx1 ′ hashŠh(x 1 ′)?1êi\£lÇþħêi\˜„ éžEÁ‡\¤"5 Alice•{Ìy²BobéØ|u¦ÜÓx2 ′\§Ïh(x1 ′) = h(x 2 ′)"
4.1 4.2 4.3 4.44.2 Hash¼êS5o(µ˜‡Hash¼ê@ ´S§I‡é±en‡¯KÑ´J)µ¯K4.1”£Preimage¤¢~µ Hash¼êh : X → Y Úy ∈ Yéѵ x ∈ X ¦h(x) = y"¯K4.21”¢~µ Hash¼êh : X → Y Úx ∈ Yéѵ x ′ ∈ X ¦x ′ ≠ x§¿…h(x ′ ) = h(x)"
4.1 4.2 4.3 4.44.2 Hash¼êS5¯K4.3-E¢~µ Hash¼êh : X → Yéѵ x, x ′ ∈ X ¦x ′ ≠ x§¿…h(x ′ ) = h(x)"ØUk)û-E¯KHash¼ê¡-E"
4.2 Hash¼êS5Ø÷vHashS‡¦~fµ~µb½Hash¼êh : Z n × Z n → Z n Xe½Âµh(x, y) = ax + by mod né?¿˜éžE(x 1 , y 1 ), (x 2 , y 2 )ŒOŽ§‚HashŠµé?¿r, s ∈ Z n·‚kµz 1 = h(x 1 , y 1 ), z 2 = h(x 2 , y 2 )h(rx 1 + sx 2 mod n, ry 1 + sy 2 mod n)= a(rx 1 + sx 2 ) + b(ry 1 + sy 2 ) mod n= r(ax 1 + by 2 ) + s(ax 1 + by 2 ) mod n= r(hx 1 , y 2 ) + sh(x 2 , y 2 ) mod n= rz 1 + rz 2 mod n@o¦r, s¤kŒUŠ§·‚ÒŒ±ÏLþãªfOŽÑ¤kžEHashŠ"
4.2 Hash¼êS5ý¢~f1µMD5´˜‡A^2128 "ÍHashŽ{§Á‡Ý2004c§ìÀŒÆÇy²MD5êi\Ž{Œ±)-E"2007c§Marc Stevens§Arjen K. LenstraÚBenne deWeger?˜Ú ÑÏL–E^‡\§ŒE5ôÂMD5Ž{"ïÄö¦^cM-E{£chosen-prefix collision¤§¦§Scà ¹¿§S§|^ ¡˜mVþ-ÓènÑÓMD5 HashŠ"2008c§Ö=DÏ¿¥EâŒÆ‰Æ[¤õr2‡Œ‰1©‡?1MD5-E§¦ùü‡$1(JØÓ§SOŽÑÓ˜‡MD5"2008c12˜|‰ï
4.2 Hash¼êS5ý¢~f2µSHA (Secure Hash Algorithm§È SHashŽ{) ´{II[SÛ(NSA) O§{II[IO†EâïÄ(NIST) uÙ˜X—èѼê"SHAkn‡‡µSHA-0!SHA-1ÚSHA-2§SHA-33ïuƒ¥"Ù¥SHA-0´ @uÙ‡§A^§SHA-1A^ 2 "1998c{—¬CRYPTO’98þ§Florent ChabaudÚAntoine Joux JÑéÑOŽE,Ý 2 61 SHA-0 -Eô§3ÓÑÑÝenŽhash¼êOŽE,Ý 2 81 "2004c§BihamÚChenuySHA-0Cq-Eµéü^ØÓžE§Ù160'ASHA-0ÑÑ¥k142'AƒÓ"
4.2 Hash¼êS5ý¢~f2µ£Y¤2004c812F§Joux, Carribault, Lemuet ÚJalby \ÙSHA-0 Ž{Ñ-E§¦‚ôÂE,Ý 2 51 "2004c814F§3CRYPTO 2004gduó¬Æþ§
4.1 4.2 4.3 4.44.2.1 ‘Åš«.!·‚?Ø3‘Åš«.e§Hash¼ên‡¯K¤õVÇ"‘Åš«(random oracle).µrandom oracle´˜‡çÝf§éz‡Î¯ÑŒ±ÑÑ(J§ÑÑÑlþ!©Ù§…éÓ˜\ΉÑÓ˜‡(J"random oracle~^3—èÆy²¥µr—è¼ê[!Ñ问 同 一 询 问 ,K§‰Ñ˜„5(J"给 出 同 一 输 出 结 。 输 出 结 果 均 匀 分 布 对 询 oracle random
4.2.2 ‘Åš«.e¯K4.1¤õVÇTheorem½n4.2(¯K4.1¤õVÇ) XJrhash¼êhw¤randomoracle§…ÑјmŒ|Y| = M§é?¿‰½y ∈ Y§?¿Q‡Ñ\¥–3˜‡Ñ\xkh(x) = y VÇɛ = 1 − (1 − 1/M) Q "Proof.-Q‡Š {x 1 , . . . , x Q }§éu1 ≤ i ≤ Q§-E i L«¯‡/h(x i ) = y0§@oE i´Õᯇ§¿…é¤k1 ≤ i ≤ Q§Pr[E i ] = 1/M"Ïd§e¡ª¤áPr[E 1 ∪ E 2 ∪ . . . ∪ E Q ] =(1 − 1 ) QM
4.2.2 ‘Åš«.¯K4.2¤õVÇTheorem½n4.3(¯K4.2¤õVÇ) XJrhash¼êhw¤randomoracle§…ÑјmŒ|Y| = M§é?¿‰½x ∈ X §?¿Q‡ØuxÑ\¥–3˜‡Ñ\x ′ kh(x ′ ) = h(x) VÇɛ = 1 − (1 − 1/M) Q "Proof.aqu½n4.2y²"5¿µ‘éA(Ø¥QU¤Q − 1§Úþã(Ø´˜—"
4.2.2 ‘Åš«.e¯K4.1¤õVǽn4.3`²µé?¿‰½žEx§ôÂö OŽ,˜‡žEx ′ ≠ xkHash(x) = Hash(x ′ )§¦Œ±‘Å)Q‡žEx 1 , . . . , x Q ≠ x§éz‡žEOŽéAHashŠ§XJuy,‡žEx i kHash(x i ) = Hash(x)¦Ò¤õœd½n4.3·‚¤õVÇ ɛ = 1 − (1 − 1/M) Q "w,ÁêâþQŒ§¤õVÇpHashŠŒU‡êM§¤õVÇ p"T {vk|^Hash¼ê?Û[!§ bHash(Jþ!©Ù§=Ramdom Oracleb"
4.1 4.2 4.3 4.44.2.2 é-E¯K)FôÂXJHash¼êhÁ‡Ý˜é-EŒU5kõŒ"n§·‚ÏL)FÒØ5Ä))FÒØ‘ÅÀ23‡
4.1 4.2 4.3 4.44.2.2 é-E¯K)FôÂ)FÒØ`²µXJHash¼êhÑÑŒUŠ‡êu365§@o‘ÅÀ23‡žEŠ§)-E£=3hashŠ˜—žEx1, x2,...,x23y1, y2,..., y23é¤VÇŒu1/2"hash∈{1,2,...,365}1/ 2 概 率 至 少 为 的 撞 碰 在 存
生 日 攻 击 无 碰 撞 概 率 : 根 据1Q11 2 Q1i(1 )(1 ) (1 ) (1 )M M M Mxe xi1Q 令 , i1 Q1i1 i1Q1i M(1 ) MM i1e e eiQ( Q1)2M1eQQ( 1)2MQ12Mln( )1
生 日 攻 击 表
4.2.2 é-E¯K)FôÂÄ)FÒؽn4.4˜„(Jµ8ÜYŒ M"@olY¥‘ÅÕáÀQ‡ƒy 1 , y 2 , . . . , y Q ¥–k2‡ƒÓVÇ µ1 −( MQ)M Q†óƒ§l8ÜY¥‘ÅÕáÀQ‡ƒ¥Ã-EVÇ( MQ)M Q ≈ e −Q(Q−1)2M)FôÂéhash¼êh§‘Å)Q‡žE§©OOŽ§‚hashŠ§Šâ½n4.4§XJÑјmŒ M§@o–)˜é-EVÇ 1 − (M Q)M Q "
4.2.2 é-E¯K)FôÂl½n4.4Œ±wµXJHash¼êhÁ‡Ý n'A§=ÑјmŒM = 2 n §@o?¿m‡‘ÅžE¥)-EVÇ)1 −( 2 nm2 nmXJná§@oØI‡õÁÒŒ±)˜é-E"X40'AžEÁ‡ I‡2 20 £Œ˜z¤‡‘ÅžE¥Ò±50%VÇ阇-E"Ï~ïÆžEÁ‡ŒÉ Ý 128'A§ùž)FôÂI‡‡L2 64 ‡‘ÅžEâU±VÇ1/2¤õ"
4.2.3 安 全 性 准 则 的 比 较 Strong collision-free implies Weak collision-free
Weak collision-free implies one-way property
4.1 4.2 4.3 4.4éHash¼ên‡¯KJÝ'Šâþ¡?اXJ·‚rHash¼êw¤RandomOracle£=Ù¢y[!§b½ÑÑþ!©Ù¤§·‚éHash¼ên‡¯Kµ¯K4.1£”¯K¤!¯K4.2£1”¤!¯K4.3£-E¤)ûJÝXeµOŽL§µ ‘Å)Q‡ØÓžEx 1 , . . . , x Q £31”¯K¥§„‡¦ùžEØÓu‰½žEx¤§©OOŽ§‚HashŠH(x 1 ), . . . , H(x Q )"¯K ¤õ^‡ ¤õVÇ”¯K ,‡x i kHash(x i ) = y 1 − (1 − 1/M) Q1” ,‡x i kHash(x i ) = Hash(x) 1 − (1 − 1/M) Q-E ,2‡x i , x j kHash(x i ) = Hash(x j )o(µ-E¯K¤õVÇ´ p"( M Q)M Q
4.3 S“Hash¼êÑ\˜mk Hash¼ê¡ Ø ¼ê"Ñ\˜mà Hash¼êÏ~dØ ¼êS“)¤§aqu©|\—S“)¤gŽ"eã‰ÑdØ ¼êf S“)¤Ñ\˜mà hash¼êÏ^ {"
4.3 S“Hash¼êcompress : {0, 1} m+t → {0, 1} m´˜‡Ø ¼ê£t ≥ 1¤§e¡‰ÑdØ ¼êcompressS“EHash¼êÏ^ {h : ∪ ∞ i=m+t+1 {0, 1}i → {0, 1} tm+t 比 特 长compresst 比 特 长迭 代 构 造≥m+t+1 比 特ht 比 特
4.3 S“Hash¼êzrFigure: dؼêcompressS“E˜„Hash¼êã«IV初 始 向 量是 公 开 值消 息 x通 过 公 开 算 法 转 化 成 ycompressy1y1 z0compresst 比 特 长 分 块t 比 特 长 分 块...t 比 特 长 分 块compressy2 y2z2 y3 y3z1compressyrzr-1yrt 比 特 长 分 块
ÑÑC†µbg : {0, 1} m → {0, 1} l´˜‡úm¼ê§h(x) ← g(z r )"ÑÑC†´ŒÀ§XÃÑÑC†K½Âµh(x) = z r4.3 S“Hash¼êý?nµrÑ\'AGx£xÝ≥ m + t + 1¤ÏL˜‡úmŽ{=z¤'AGy§¿…yÝ têµx =⇒ y = y 1 ||y 2 || . . . ||y r , z˜©¬y i 'AÝ tXµ y = x||pad(x) pad(·)L«W¿¼ê§XW¿0'A¦yÝtêOŽL§µ IV ´˜‡Ý múmЩŠ'AG§XeS“OŽµ⎧z 0 ← IV⎪⎨ z 1 ← compress(z 0 ||y 1 )Hash¼ê˜„S“L§ z 2 ← compress(z 1 ||y 2 ) (1)⎪⎩. . .z r ← compress(z r−1 ||y r )
4.3 S“Hash¼ê5¿¯‘µý?n¥x → y7L´üXJx → yØ´ü§=3x ≠ x ′ §x → yÚx ′ → y ′ §ky = y ′ §@oh(x) = h(x ′ ) =⇒ hØ´-E"
4.3.1 Merkle-Damgȧrd(e¡·‚ÆS˜«dØ ¼êEHash¼ê {§¡Merkle-Damgȧrd(§§k±eA:µXJØ ¼ê´-E§@o¤EHash¼ê ´-E"bØ ¼êcompress : {0, 1} m+t → {0, 1} m §Šât = 1Út ≥ 2©2«œ¹?Ø"t ≥ 2ž§·‚¦^ÚÖ¥ØÓ?Ø {µkíHash¼ê -Ež7‡^‡§, Šâ7‡^‡‰ÑEŽ{"t = 1žE²)"{y²dÓÆ‚gÆ(=½n4.6y
4.3.1 Merkle-Damgȧrd(e¡·‚íÑÏ^Hash¼êS“E {¥§XJcompress -E§@oHash¼ê ´-E7‡^‡"·‚5¿µHash´-E⇐⇒ XJHash3-E§@oŒ±écompress-E"XJhash3-E§* XJ¦^êÆ8B{y²compress 3-E§XJ÷vŸo5ŸâU¤õy²º3ée¡·K[y²¥§ kœ¹1.2Úœ¹2.2vk¤§Ïdy²U^|¤^‡Œ±´µ^‡1µ œ¹1.2جu)§=y 1 = yl ′ جu)"^‡2µ œ¹2.2جu)§=y r = y1 ′ جu)"
4.3.1 Merkle-Damgȧrd(·Kµ by ≠ y ′ , y = y 1 ||y 2 || . . . ||y r , y ′ = y1 ′ ||y 2 ′ || . . . ||y′l §y, y ′ S“E(J©O z r , zl ′§=µ⎧⎪⎨⎪⎩⎧⎪⎨⎪⎩z 0 ← IVz 1 ← compress(z 0 ||y 1 ). . .z r ← compress(z r−1 ||y r )z0 ′ ← IVz1 ′ ← compress(z0 ′ ||y 1 ′ ). . .zl ′ ← compress(zl−1 ′ ||y l ′)XJz r = z ′ l§e¡ér, l¦^êÆ8B{y²Œ±écompress-E"
4.3.1 Merkle-Damgȧrd([y²µ1 r = 1ž§z r = zl ′§duz 1 = compress(IV ||y 1 )§zl ′ = compress(zl−1 ′ ||y l ′)§@ocompress(IV ||y 1 ) = compress(zl−1 ′ ||y l ′)µœ¹1.1µ XJy 1 ≠ yl ′§@ocompress-E(IV ||y 1 , zl−1 ′ ||y l ′)"œ¹1.2µ XJy 1 = yl ′§"""£º¤2 Ón?Øl = 1ž§XJz r = z ′ 1 §@ocompress(z r−1 ||y r ) = compress(IV ||y ′ 1 )µœ¹2.1µ XJy r ≠ y ′ 1 §@ocompress-E(z r−1 ||y r , IV ||y ′ 1 )"œ¹2.2µ XJy r = y ′ 1 §"""£º¤
4.3.1 Merkle-Damgȧrd([y²£Y¤3 br = r ′ − 1 ≥ 1, l = l ′ − 1 ≥ 1ž(ؤá"4 r = r ′ , l = l ′ žkz r ′ = zl ′ §@ ′ocompress(z r ′ −1||y r ′) = compress(zl ′ ′ −1 ||y l ′ )µ ′œ¹4.1µ y r ′ ≠ yl ′ §Kcompress-′Eµ(z r ′ −1||y r ′, zl ′ ′ −1 ||y l ′ ) ′œ¹4.2µ y r ′ = yl ′ §(1)XJz ′ ′ r ′ −1 ≠ z l ′ −1@o(z r ′ −1||y r ′, zl ′ ′ −1 ||y l ′ )´compress-′E(2)XJzr ′ ′ −1 = z l ′ −1§zr ′ ′ −1 Úz l ′ −1©Ody 1 ||y 2 || . . . ||y r ′ −1 Úy1 ′ ||y 2 ′ || . . . ||y′l, ′ −1 S“E§Šâ8B{§Œ±compress-E"
4.3.1 Merkle-Damgȧrd('uþ¡[y²`²µ˜„ó§êÆ8B{´é˜‡ê?18B"[y²¥§XJ ér?1êÆ8B§ Uy²r ≤ lœ¹§Ï 3œ¹4.2?Ø¥§·‚7Lyl ′ − 1 ≥ 1§XJ2 ≤ r ′ ≤ l ′ ÒŒ±÷vd^‡"!ŽŸÌ§3[y²¥rr ≤ lœ¹£ér?1êÆ8B¤§Úr ≥ lœ¹(él?1êÆ8B)y²˜˜å"
4.3.1 Merkle-Damgȧrd(Ž{4.6µt ≥ 2ž§Merkle-DamgȧrdEý?n µ{Xeµx = x 1 ||x 2 ||x 3 || . . . ||x k , x i Ý t − 1, 1 ≤ i ≤ k − 1,IV = 0 m x k Ý t − 1 − dy 1 = 0||x 1y 2 = 1||x 2y 3 = 1||x 3..y k = 1||x k ||0 d.y k+1 = 1||0 . . . 0||d?›L«, |y k+1 | = tOŽL§µ S“?nL§Ú˜„L§˜—§vk=h(x) = z k+1 "ÑÑC†§±þE {Ú‘¥Ž{4.6d§Ú‘¥y i ƒ'§y i m>t − 1'A=y i "k = ⌈ nt−1 ⌉ ≥ ⌈ m+t+1t−1 ⌉ ≥ 2"
4.3.1 Merkle-Damgȧrd(Šâc¡é[y²?ا·‚wXJcompress¼ê´-E§Ehash¼ê ´-Eµ* Merkle-Damgȧrd(§éØÓx, x ′ §béAy 1 ||y 2 || . . . ||y r Úy ′ 1 ||y′ 2 || . . . ||y′ l §kµÏ µ r ≥ 2,l ≥ 2"¤±µ y 1 ≠ y ′ l §y′ 1 ≠ y r"£ †>'AØÓ¤@oµ XJcompress¼ê´-E§Ehash¼ê ´-E"?˜ÚgµXJ3Merkle-Damgȧrd(§Ky k+1 §=Hash(J z k §E,Uyr ≥ 2, l ≥ 2§ùE,Œ±XJcompress¼ê´-E§Ehash¼ê ´-E(Ø"gKµ‰ÑØÓuMerkle-Damgȧrd(!±9±þ {E {§E,÷vµ/XJcompress¼ê´-E§Ehash¼ê ´-E0§¿‰Ñy²"
4.1 4.2 4.3 4.44.3.1 Merkle-Damgȧrd(`²µt = 1ž§Ã{£;œ¹1.2Ú2.2§¤±Ž{4.6ét=1ž§´Ã{y²µXJcompress¼ê´-E§Ehash¼ê ´-E"
4.3.2 SHashŽ{êâSŽ{(SHA){0µSHA´{II[SÛ(NSA) O§{II[IO†EâïÄ(NIST) uÙ˜X—èѼêSHA-0uÙu1993c"SHA-1uÙu1995c§§éSHA-0˜‡f:‰‡?¾§ÑÑÝ 160'A§´SHA[x¥A^ 2 Ž{"SHA-2 )4‡Ž{µSHA-224§SHA-256§SHA-384§SHA-512§ÑÑÝ©O µ224!256!384Ú512"SHA-33ïuƒ¥§ýO32012cÀѪŽ{"
MD5/SHA-1 Overview
SHA-1 Compression Function
4.3.2 SHashŽ{SHA-1Ž{(µÑ\Ý|x| ≤ 2 64 − 1ÑÑÝ µ160'A¡•iöŠ§z‡i32'A"W¿Ž{µSHA-1-PAD(x)ržEx=z¤512êGy = x||1||0 d ||lÙ¥d ← (447 − |x|) mod 512,l ← |x|(|x|L«xÝ)?›L«§…Ý 64'A§XJˆØ64'AK3†>W¿0"¤¦^öŠµX ∧ Y XÚY Ü6/Ú0X ∨ Y XÚY Ü6/½0X ⊕ Y XÚY Ü6/ɽ0¬X XÜ6/Ö0X + Y 2 32 êÚ§u(X + Y ) ∧ (2 32 − 1)ROTL s (X) XÌ‚†£s‡ ˜(0 ≤ s ≤ 31)
4.3.2 SHashŽ{SHA-1Ž{(µš‚5¼êf 0 , f 1 , . . . , f 79 µ⎧(B ∧ C) ∨ (¬B) ∧ D) éu0 ≤ t ≤ 19⎪⎨B ⊕ C ⊕ D éu20 ≤ t ≤ 39f t (B, C, D) =(B ∧ C) ∨ (B ∧ D) ∨ (C ∧ D)) éu40 ≤ t ≤ 59⎪⎩B ⊕ C ⊕ D éu60 ≤ t ≤ 79Ñ\B, C, D´n‡i"~êK t , 0 ≤ t ≤ 79
4.3.2 SHashŽ{SHA-1OŽL§µÑ\µ xW¿µ y ← SHA − 1 − PAD(x)~êµ K 0 , . . . , K 79y©µ -y = M 1 ||M 2 || . . . ||M n §Ù¥z‡M i´˜‡512'A©|"IVŠµ H 0 ||H 1 ||H 2 ||H 3 ||H 4 || ←67452301||EFCDADCFE||10325476||C3D2E1F0
4.3.2 SHashŽ{SHA-1OŽL§£Y¤µfor i ← 1 to n`²µ±e)ÒÜ©ƒucompress(Z i−1 ||M i ), Z i−1 = H 0 ||H 1 || . . . ||H 4⎧⎪⎨do⎪⎩- M i = W 0 ||W 1 || . . . ||W 15 §Ù¥z‡W i´˜‡ifor i ← 16 to 79 do W i ← ROTL 1 (W t−3 ⊕ W t−8 ⊕ W t−14 ⊕ W t−16 )A ← H 0 , B ← H 1 , C ← H 2 , D ← H 3 , E ← H 4for i ← 0 to 79⎧⎪⎨do⎪⎩temp ← ROLT 5 (A) + f t (B, C, D) + E + W t + K tE ← DD ← CC ← ROLT 30 (B)B ← AA ← tempH 0 ← H 0 + A, H 1 ← H 1 + B, H 2 ← H 2 + CH 3 ← H 3 + D, H 4 ← H 4 + EÑѵ(H 0 ||H 1 ||H 2 ||H 3 ||H 4 )
4.1 4.2 4.3 4.44.3.2 SHashŽ{SHAS5yGµ„4.2!'uHash¼êS5ý¢~f2"
4.1 4.2 4.3 4.44.4 žE@yèžE@yè(message authentication code§{MAC)µ½Âµ ‘—Hash¼ê"^åµ ^užE5@y"žE@yL§ã«˜µ
4.1 4.2 4.3 4.44.4 žE@yèžE@yL§ã«µ
4.1 4.2 4.3 4.44.4 žE@yèS5µ(@žE5§Ïyè"k—PköâU)¤žE@ØU)ûžEØŒÄ@5§=Ã{y¢žEdX)¤£žE)¤öÚyöÑPk—§ÑŒ)¤@yè¤"E {µ1 dØ‘—Hash¼êE§XHMAC(„4.4.1 i@MACÚHMAC)2 dé¡—èE§XCBC-MAC(„4.4.2 CBC-MAC)
4.1 4.2 4.3 4.44.4 žE@yèïþMACŽ{S5µÚØ‘—Hash¼ê‡¦ØÓ"¦^bk(forger)ö5£ãMACŽ{S5µ(ɛ, Q)bköXJôÂö¼x 1 , x 2 , . . . , x Q žE@yèy 1 , y 2 , . . . , y Q §éx ∉ {x 1 , x 2 , . . . , x Q }§XJôÂöOŽké(x, y)§=y = hash(x)§Ù¤õVÇ– ɛ§K(x, y)¡ (ɛ, Q)bkö"w,§˜‡ÐMAC¼ê§XJ3(ɛ, Q)bkö§F"¤õVÇɛЧQŒÐ"
4.1 4.2 4.3 4.44.4 žE@yè(1, 1)bkö~fµb½compress : {0, 1} m+t → {0, 1} m´˜‡Ø ¼ê§¦^compressÏL˜„S“ {)¤‘—Hash¼êh K §¿…µIV = K{ü儧b½vký?nÚ½ÚÑÑC†"®žExÚ§hashŠh K (x)§é?¿tx ′ §ŠâS“OŽL§h K (x||x ′ ) = compress(h K (x)||x ′ )Ïd§ôÂö=¦ØK §Ñx||x ′ hashŠ"Œ±ŠâþªOŽ
4.1 4.2 4.3 4.44.4.1 i@MACÚHMACi@MAC‰Ñdü‡‘—Hashx5ïᘇMACŽ{ {µŒi@MACµb½(X , Y, K, G)Ú(Y, Z, L, H) ´Hashx§K§‚EÜHashx½Â µ(X , Z, M, G ◦ H)§Ù¥M = K × L§¿…é¤kx ∈ X §kµG ◦ H = {g ◦ h : g ∈ G, h ∈ H}(g ◦ h) K ,L = h L (g K (x))
4.1 4.2 4.3 4.44.4.1 i@MACÚHMACHMACHMAC0µHMAC´˜‡u2002c3JÆ@MACŽ{"FIPSIOiHMACÏLØ‘—Hash¼ê5EMAC"ÄuSHA-1HMACŽ{£ãXeµ—K ݵ512'AÑÑݵ160'A2‡512'A~êµipad= 3636 . . . 36§opad= 5C5C . . . 5CxMACXeOŽµHMAC K (x) = SHA − 1(K ⊕ opad)||SHA − 1((K ⊕ ipad||x))
4.1 4.2 4.3 4.44.4.2 CBC-MACCBC-MAC‰Ñd©|—èEMAC {µ—èN›4.2 CBC-MAC(x, K )©|\—µ e KÑ\µ -x = x 1 ||x 2 || . . . ||x n §z‡x i Ñ´t'AGЩ•þµ IV = 00 . . . 0OŽL§µ 1 y 0 ← IV2 for i ← 1 to nÑѵ y ndo y i ← e K (y i−1 ⊕ x i )`²µCBC-MACMAC(J⇐⇒±Kªeéx\— ˜‡—©©|"—§CBC©|\—
Keyed Hash Functions as MACs have desire to create a MAC using a hash functionrather than a block cipher because hash functions are generally faster not limited by export controls unlike block ciphers hash includes a key along with the message original proposal:KeyedHash = Hash(Key|Message) some weaknesses were found with this eventually led to development of HMAC
HMAC specified as Internet standard RFC2104 uses hash function on the message:HMAC K = Hash[(K + XOR opad) ||Hash[(K + XOR ipad)||M)]] where K + is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than themessage needs alone any of MD5, SHA-1, RIPEMD-160 can be used
HMAC Overview
HMAC Security know that the security of HMAC relates to that of theunderlying hash algorithm attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a verylarge number of messages) choose hash function used based on speed versessecurity constraints
Change language