H ASH AND MAC A LGORITHMS
b. You must use the same sort of interchange.
12.4 a. Overall structure:
N × 16 letters
M1 M2 MN
IV = F 0000
H1 F
• • •
• • • Message
H2 16
HN =
hash code 16
F
16
16 letters 16 letters 16 letters
Padding
4
Compression function F:
Hi–1 Mi
Column-wise mod 26 addition
Column-wise mod 26 addition row-wise
rotations
Hi
b. BFQG
c. Simple algebra is all you need to generate a result:
AYHGDAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA
12.5 Generator for GF(28) using x8 + x4 + x3 + x2 + 1. Partial results:
Power Representation
Polynomial Representation
Binary Representation
Decimal (Hex) Representation
0 0 00000000 00
g0 (= g127) 1 00000001 01
g1 g 00000010 02
g2 g2 00000100 04
g3 g3 00001000 08
g4 g4 00010000 10
g5 g5 00100000 20
g6 g6 01000000 40
g7 g7 10000000 80
g8 g4 + g3 + g2 + 1 00011101 1D g9 g5 + g4 + g3 + g 00111010 3A g10 g6 + g5 + g4 + g2 01110100 74 g11 g7 + g6 + g5 + g3 11101000 E8 g12 g7 + g6 + g3 + g2 +
1
11001101 CD g13 g7 + g2 + g + 1 10000111 87 g14 g4 + g + 1 00010011 13 12.6
00 01 10 11 00 01 10 11
00 1 B 9 C 00 F 0 D 7
01 D 6 F 3 01 B E 5 A
10 E 8 7 4 10 9 2 C 1
11 A 2 5 0 11 3 4 8 6
E box E–1 box
12.7 a. For input 00: The output of the first E box is 0001. The output of the first E–1 box is 1111. The input to R is 1110 and the output of R is 0001. The input to the second E box is 0000 and the output is 0001. The input to the second E–1 box is 1110 and the output is 1000. So the final output is 00011000 in binary, which is 18 in hex. This agrees with Table 12.3a.
b. For input 55: The output of the first E box is 0110. The output of the first E–1 box is 1110. The input to R is 1000 and the output of R is 0110. The input to the second E box is 0000 and the output is 0001. The input to the second E–1 box is 1000 and the output is 1001. So the final output is 00011001 in binary, which is 19 in hex. This agrees with Table 12.3a.
c. For input 1E: The output of the first E box is 1011. The output of the first E–1 box is 1000. The input to R is 0011 and the output of R is 1101. The input to the second E box is 0110 and the output is 1111. The input to the second E–1 box is 0101 and the output is 1110. So the final output is 1111110 in binary, which is in hex FE. This agrees with Table 12.3a.
12.8 Treat the input to the S-box as two 4-bit variables u and v and the output as the 4- bit variables u' and v'. The S-box can be expressed as (u', v') = S(u, v). Using Figure 12.9, we can express this as:
u' = E[E(u) ⊕ r], v' = E–1[E–1(v) ⊕ r]
where r = R[E(u) ⊕ E–1(v)]
12.9 Consider the encryption E(Hi–1, Mi). We could write the last round key as K10 = E(RC, Hi–1); this quantity is XORed onto the cipher state as the last encryption step.
Now take a look at the recursion: Hi = E(Hi–1, Mi) ⊕ Mi. Formally applying this construction to the "key encryption line" we get K'10 = E(RC, Hi–1) ⊕ Hi–1. Using this value as the effective last round key formally creates two interacting lines (as compared to the interacting encryption lines), and results in the Whirlpool scheme, which therefore shows up as the natural choice for the compression function. This explanation is taken from the Whirlpool document.
12.10 We use the definition from Section 11.3. For a one-block message, the MAC using CBC-MAC is T = E(K, X), where K is the key and X is the message block.
Now consider the two-block message in which the first block is X and the second block is X ⊕ T. Then the MAC is E(K, [T ⊕ X ⊕ T ])= E(K,X)= T.
12.11 WeuseFigure12.12a butputtheXOR with K1afterthefinalencryption.Forthis problem,therearetwo blocksto process.Theoutputoftheencryption ofthefirst messageblock isE(K,0)= CBC(K,0)= T0⊕ K1.ThisisXORed with thesecond messageblock (T0⊕ T1),so thattheinputto thesecond encryption is(T1⊕ K1)= CBC(K,1)= E(K,1).So theoutputofthesecond encryption isE(K,[E(K,1)])= CBC(K,[CBC(K,1)])= T2⊕ K1.AfterthefinalXOR with K1,weget
VMAC(K,[0 || (T0⊕ T1)])= T2.
12.12 a. In each case(64 bits,128 bits)theconstantisthebinary representation ofthe irreduciblepolynomialdefined in Section 12.4.Thetwo constantsare
R128= 012010000111 and R64= 05911011 b. Hereisthealgorithm from theNIST document:
1. LetL = E(K,0b).
2. IfMSB1(L)= 0,then K1 = L << 1;
ElseK1 = (L << 1)⊕ Rb;
3. IfMSB1(K1)= 0,then K2 = K1 << 1;
ElseK2 = (K1 << 1)⊕ Rb.
A NSWERS TO Q UESTIONS
13.1 SupposethatJohn sendsan authenticated messageto Mary.Thefollowing disputesthatcould arise:1. Mary may forgea differentmessageand claim thatit camefrom John.Mary would simply haveto createa messageand append an authentication codeusing thekey thatJohn and Mary share.2. John can deny sending themessage.BecauseitispossibleforMary to forgea message,thereis no way to provethatJohn did in factsend themessage.
13.2 1. Itmustbeableto verify theauthorand thedateand timeofthesignature.2. It mustbeableto authenticatethecontentsatthetimeofthesignature.3. The
signaturemustbeverifiableby third parties,to resolvedisputes.
13.3 1. Thesignaturemustbea bitpattern thatdependson themessagebeing signed.2.
Thesignaturemustusesomeinformation uniqueto thesender,to preventboth forgery and denial.3. Itmustberelatively easy to producethedigitalsignature. 4. Itmustberelatively easy to recognizeand verify thedigitalsignature.5. Itmust becomputationally infeasibleto forgea digitalsignature,eitherby constructing a new messageforan existing digitalsignatureorby constructing a fraudulent digitalsignaturefora given message.6. Itmustbepracticalto retain a copy ofthe digitalsignaturein storage.
13.4 A direct digital signature involvesonly thecommunicating parties(source,
destination).Itisassumed thatthedestination knowsthepublickey ofthesource. A digitalsignaturemay beformed by encrypting theentiremessagewith the sender'sprivatekey orby encrypting a hash codeofthemessagewith thesender's privatekey.An arbitrated digital signature operatesasfollows.Every signed messagefrom a senderX to a receiverY goesfirstto an arbiterA,who subjectsthe messageand itssignatureto a numberofteststo check itsorigin and content.The messageisthen dated and sentto Y with an indication thatithasbeen verified to thesatisfaction ofthearbiter.
13.5 Itisimportantto perform thesignaturefunction firstand then an outer confidentiality function.In caseofdispute,somethird party mustview the
messageand itssignature.Ifthesignatureiscalculated on an encrypted message, then thethird party also needsaccessto thedecryption key to read theoriginal message.However,ifthesignatureistheinneroperation,then therecipientcan