H ASH AND MAC A LGORITHMS
b. You must use the same sort of interchange.
12.4 a.Overall structure:
N 16 letters
M1 M2 MN
IV = F 0000
H1 F
• • •
• • • Message
H2
16
HN =
hashcode 16
F
16
16 letters 16 letters 16 letters
Padding
4
Compression function F:
Hi–1 Mi
Column-wise mod 26 addition
Column-wise mod 26 addition row-wise
rotations
Hi
b. BFQG
12.5 Generator for GF(28) using x8+ x4+ x3+ x2+ 1. Partial results:
Power
Representation Polynomial
Representation Binary
Representation Decimal (Hex) Representation
0 0 00000000 00
g0(=g127) 1 00000001 01
g1 g 00000010 02
g2 g2 00000100 04
g3 g3 00001000 08
g4 g4 00010000 10
g5 g5 00100000 20
g6 g6 01000000 40
g7 g7 10000000 80
g8 g4+g3+g2+ 1 00011101 1D
g9 g5+g4+g3+g 00111010 3A
g10 g6+g5+g4+g2 01110100 74
g11 g7+g6+g5+g3 11101000 E8
g12 g7+g6+g3+g2+ 1 11001101 CD
g13 g7+g2+g+ 1 10000111 87
g14 g4+g+ 1 00010011 13
12.6 00 01 10 11 00 01 10 11
00 1 B 9 C 00 F 0 D 7
01 D 6 F 3 01 B E 5 A
10 E 8 7 4 10 9 2 C 1
11 A 2 5 0 11 3 4 8 6
E box E–1 box
12.7 a. For input 00: The output of the first E box is 0001. The output of the first E–1 box is 1111. The input to R is 1110 and the output of R is 0001. The input to the second E box is 0000 and the output is 0001. The input to the second E–1box is 1110 and the output is 1000. So the final output is 00011000 in binary, which is 18 in hex. This agrees with Table 12.3a.
b. For input 55: The output of the first E box is 0110. The output of the first E–1 box is 1110. The input to R is 1000 and the output of R is 0110. The input to the second E box is 0000 and the output is 0001. The input to the second E–1box is 1000 and the output is 1001. So the final output is 00011001 in binary, which is 19 in hex. This agrees with Table 12.3a.
c. For input 1E: The output of the first E box is 1011. The output of the first E–1 box is 1000. The input to R is 0011 and the output of R is 1101. The input to the second E box is 0110 and the output is 1111. The input to the second E–1box is 0101 and the output is 1110. So the final output is 1111110 in binary, which is in hex FE. This agrees with Table 12.3a.
12.8 Treat the input to the S-box as two 4-bit variablesuandvand the output as the 4- bit variablesu' andv'. The S-box can be expressed as (u',v') = S(u,v). Using Figure 12.9, we can express this as:
u' = E[E(u)r], v' = E–1[E–1(v)r]
wherer= R[E(u)E–1(v)]
12.9 Consider the encryption E(Hi–1,Mi). We could write the last round key asK10= E(RC,Hi–1); this quantity is XORed onto the cipher state as the last encryption step.
Now take a look at the recursion:Hi= E(Hi–1,Mi)Mi. Formally applying this construction to the "key encryption line" we get K'10= E(RC,Hi–1)Hi–1. Using this value as the effective last round key formally creates two interacting lines (as compared to the interacting encryption lines), and results in the Whirlpool scheme, which therefore shows up as the natural choice for the compression function. This explanation is taken from the Whirlpool document.
12.10 We use the definition from Section 11.3. For a one-block message, the MAC using CBC-MAC isT= E(K,X), where K is the key and X is the message block. Now consider the two-block message in which the first block is X and the second block isXT. Then the MAC is E(K, [TXT]) = E(K,X) =T.
12.11 We use Figure 12.12a but put the XOR withK1after the final encryption. For this problem, there are two blocks to process. The output of the encryption of the first message block is E(K,0) = CBC(K,0) =T0K1. This is XORed with the second message block (T T ), so that the input to the second encryption is (T K ) =
R128= 012010000111 and R64= 05911011 b. Here is the algorithm from the NIST document:
1. LetL= E(K, 0b).
2. If MSB1(L) = 0, thenK1=L<< 1;
ElseK1= (L<< 1)Rb;
3. If MSB1(K1) = 0, thenK2=K1<< 1;
ElseK2= (K1<< 1)Rb.
A A N N SW S WE ER R S S T T O O Q Q UE U ES ST T IO I ON N S S
13.1 Suppose that John sends an authenticated message to Mary. The following disputes that could arise:1.Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share.2.John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message.
13.2 1.It must be able to verify the author and the date and time of the signature.2. It must be able to authenticate the contents at the time of the signature.3.The signature must be verifiable by third parties, to resolve disputes.
13.3 1.The signature must be a bit pattern that depends on the message being signed.2.
The signature must use some information unique to the sender, to prevent both forgery and denial.3.It must be relatively easy to produce the digital signature.
4.It must be relatively easy to recognize and verify the digital signature.5.It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message.6.It must be practical to retain a copy of the digital signature in storage.
13.4 Adirect digital signatureinvolves only the communicating parties (source,
destination). It is assumed that the destination knows the public key of the source.
A digital signature may be formed by encrypting the entire message with the sender's private key or by encrypting a hash code of the message with the sender's private key. Anarbitrated digital signatureoperates as follows. Every signed message from a sender X to a receiver Y goes first to an arbiter A, who subjects the message and its signature to a number of tests to check its origin and content. The message is then dated and sent to Y with an indication that it has been verified to