You are on page 1of 4

Hash functions based on block ciphers

There are several methods to use a block cipher to build a cryptographic hash function, specifically a one-way compression function. The methods resemble the block cipher modes of operation usually used for encryption. All well-known hash functions, including MD4, MD5, SHA-1 and SHA-2 are built from block-cipherlike components designed for the purpose, with feedback to ensure that the resulting function is not bijective. SHA-3 finalists include functions with block-cipher-like components (e.g., Skein, BLAKE) and functions based on other designs (e.g., JH, Keccak). A standard block cipher such as AES can be used in place of these custom block ciphers; that might be useful when an embedded system needs to implement both encryption and hashing with minimal code size or hardware area. However, that approach can have costs in efficiency and security. The ciphers in hash functions are built for hashing: they use large keys and blocks, can efficiently change keys every block, and have been designed and vetted for resistance to related-key attacks. General-purpose ciphers tend to have different design goals. In particular, AES has key and block sizes that make it nontrivial to use to generate long hash values; AES encryption becomes less efficient when the key changes each block; and relatedkey attacks make it potentially less secure for use in a hash function than for encryption.

MerkleDamgrd construction

The MerkleDamgrd hash construction.

A hash function must be able to process an arbitrary-length message into a fixed-length output. This can be achieved by breaking the input up into a series of equal-sized blocks, and operating on them in sequence using a one-way compression function. The compression function can either be specially designed for hashing or be built from a block cipher. A hash function built with the MerkleDamgrd construction is as resistant to collisions as is its compression function; any collision for the full hash function can be traced back to a collision in the compression function.

The last block processed should also be unambiguously length padded; this is crucial to the security of this construction. This construction is called the MerkleDamgrd construction. Most widely used hash functions, including SHA-1 and MD5, take this form. The construction has certain inherent flaws, including length-extension and generate-and-paste attacks, and cannot be parallelized. As a result, many entrants in the current NIST hash function competition are built on different, sometimes novel, constructions.

WHAT IS A BLOCK CIPHER


In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take (for example) a 128-bit block of plaintext as input, and output a corresponding 128bit block of ciphertext. The exact transformation is controlled using a second input the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text. A message longer than the block size (128 bits in the above example) can still be encrypted with a block cipher by breaking the message into blocks and encrypting each block individually. However, in this method all blocks are encrypted with the same key, which degrades security (because each repetition in the plaintext becomes a repetition in the ciphertext). To overcome this issue, modes of operation are used to make encryption probabilistic. Some modes of operation, despite the fact that their underlying implementation is a block cipher, allow the encryption of individual bits. The resulting cipher is called a stream cipher.

Hashing Algorithms
Interna Wor Collision Preimage Block Lengt l state d attacks (complexit attacks (complexit size h size size size y) y)

Algorithm

Output size (bits)

GOST

256

256

256

256

32

Yes (2105)

Yes (2192)

HAVAL

256/224/192/160/1 28

256

1,024

64

32

Yes

MD2

128

384

128

32

Yes (263.3)

Yes (273)

MD4

128

128

512

64

32

Yes (3)

Yes (270.4)

MD5

128

128

512

64

32

Yes (220.96)

Yes (2123.4)

PANAMA

256

8,736

256

32

Yes

RadioGatn

3 Up to 608/1,216 (19 58 word words) words s

164

With flaws (2352 or 2704)

RIPEMD

128

128

512

64

32

Yes (218)

RIPEMD128/256

128/256

128/25 512 6

64

32

No

RIPEMD160/320

160/320

160/32 512 0

64

32

No

SHA-0

160

160

512

64

32

Yes (233.6)

SHA-1

160

160

512

64

32

Yes (251)

No

SHA256/224

256/224

256

512

64

32

No

No

SHA512/384

512/384

512

1,024

128

64

No

No

Tiger(2)192/160/12 8

192/160/128

192

512

64

64

Yes (262:19)

Yes (2184.3)

WHIRLPOO L

512

512

512

256

Yes ([1])

Note: The internal state here means the "internal hash sum" after each compression of a data block. Most hash algorithms also internally use some additional variables such as length of the data compressed so far since that is needed for the length padding in the end. See the Merkle-Damgrd construction for details.

Universal one-way hash function


Definition
The security property of a UOWHF is as follows. Let A be an algorithm that operates in two phases: Initially, A receives no input (or, just a security parameter) and chooses a value x. A hash function H is chosen from the family. A then receives H and must output y such that H(x) = H(y).

Then for all polynomial-time A the probability that A succeeds is negligible.

Applications
UOWHFs are thought to be less computationally expensive than CRHFs, and are most often used for efficiency purposes in schemes where the choice of the hash function happens at some stage of execution, rather than beforehand. For instance, the CramerShoup cryptosystem uses a UOWHF as part of the validity check in its ciphertexts.

http://www.partow.net/programming/hashfunctions/

Hashing tutorial http://research.cs.vt.edu/AVresearch/hashing/index.php C Hashing http://www.andreas-kraus.net/blog/understanding-hash-codes-in-caspnet/