M ESSAGE A UTHENTICATION AND
H ASH F UNCTIONS
confidentiality as well as a digital signature is desired, then the message plus the public-key-encrypted hash code can be encrypted using a symmetric secret key.e.
This technique uses a hash function but no encryption for message
authentication. The technique assumes that the two communicating parties share a common secret value S. A computes the hash value over the concatenation of M and S and appends the resulting hash value to M. Because B possesses S, it can recompute the hash value to verify.f.Confidentiality can be added to the approach of (e) by encrypting the entire message plus the hash code.
11.8 No. Section 11.3 outlines such attacks.
11.9 1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any givenx, making both hardware and software implementations practical.
4. For any given valueh, it is computationally infeasible to findxsuch that H(x)
=h. This is sometimes referred to in the literature as theone-wayproperty.
5. For any given blockx, it is computationally infeasible to findy≠xwith H(y) = H(x).
6. It is computationally infeasible to find any pair (x,y) such that H(x) = H(y).
11.10 Property 5 in Question 11.9 definesweak collision resistance. Property 6 defines strong collision resistance.
11.11 A typical hash function uses a compression function as a basic building block, and involves repeated application of the compression function.
A A NS N SW W ER E RS S T T O O P P R R O O BL B L EM E MS S
11.1 No. If internal error control is used, error propagation in the deciphering operation introduces too many errors for the error control code to correct.
11.2 The CBC mode with an IV of 0 and plaintext blocks D1, D2, . . ., Dn and 64-bit CFB mode with IV = D1 and plaintext blocks D2, D3, . . ., Dn yield the same result.
11.3 a. Yes. The XOR function is simply a vertical parity check. If there is an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error. Note
must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and an even number of error bits in each spiral.
c. It is too simple to be used as a secure hash function; finding multiple messages with the same hash function would be too easy.
11.4 a. For clarity, we use overbars for complementation. We have:
E Mi, Hi1 E Mi, Hi1 Hi1 E Mi, Hi1 Hi1
Therefore, the hash function of messageMwith initial value I is the same as the hash function for messageNwith initial value
I for any given I, where
M M1|| M2 || || Mn; N M1|| M2 || || Mn
b. The same line of reasoning applies with theMs andHs reversed in the derivation.
11.5 a. It satisfies properties 1 through 3 but not the remaining properties. For
example, for property 4, a message consisting of the valuehsatisfies H(h) =h.
For property 5, take any messageMand add the decimal digit 0 to the sequence; it will have the same hash value.
b. It satisfies properties 1 through 3. Property 4 is also satisfied ifnis a large composite number, because taking square roots modulo such an integernis considered to be infeasible. Properties 5 and 6 are not satisfied because –M will have the same value as M.
c. 955
11.6 If you examine the structure of a single round of DES, you see that the round includes a one-way function, f, and an XOR:
Ri= Li–1f(Ri–1, Ki)
For DES, the function f is depicted in Figure 3.5. It maps a 32-bit R and a 48-bit K into a 32-bit output. That is, it maps an 80-bit input into a 32-bit output. This is clearly a one-way function. Any hash function that produces a 32-bit output could be used for f. The demonstration in the text that decryption works is still valid for any one-way function f.
11.7 The opponent has the two-block message B1, B2 and its hash RSAH(B1, B2). The following attack will work. Choose an arbitrary C1 and choose C2 such that:
C2 = RSA(C1)RSA(B1)B2
then RSA(C1)C2 = RSA(C1)RSA(C1)RSA(B1)B2
= RSA(B1)B2
so RSAH(C1, C2) = RSA[RSA(C1)C2)] = RSA[RSA(B1)B2]
= RSAH(B1, B2)
11.8 The statement is false. Such a function cannot be one-to-one because the number of inputs to the function is of arbitrary, but the number of unique outputs is 2n. Thus, there are multiple inputs that map into the same output.
A A N N SW S WE ER R S S T T O O Q Q UE U ES ST T IO I ON N S S
12.1 Inlittle-endian format, the least significant byte of a word is in the low-address byte position. Inbig-endian format, the most significant byte of a word is in the low-address byte position.
12.2 Addition modulo 264or 232, circular shift, primitive Boolean functions based on AND, OR, NOT, and XOR.
12.3 XOR, addition over a finite field, and circular shifts.
12.4 1.Cryptographic hash functions such as MD5 and SHA generally execute faster in software than symmetric block ciphers such as DES.2.Library code for
cryptographic hash functions is widely available.
12.5 To replace a given hash function in an HMAC implementation, all that is required is to remove the existing hash function module and drop in the new module.
A A NS N SW W ER E RS S T T O O P P R R O O BL B L EM E MS S
12.1 Assume an array of sixteen 64-bit words W[0], . . ., W[15], which will be treated as a circular queue. Define MASK = 0000000F in hex. Then for round t:
s = tMASK;
if (t ≥ 16) then
W[s] = W[s] 0(W[(s + 1)MASK])
W[(s + 9)MASK] 1(W[(s + 14]MASK]) 12.2 W16= W0 0(W1)W9 1(W14)
W17= W1 0(W2)W10 1(W15) W18= W2 0(W3)W11 1(W16) W19= W3 0(W4)W12 1(W17)
12.3 a. 1. Interchange x1and x4; x2and x3; y1and y4; and y2and y3. 2. Compute Z = X + Y mod 232.
3. Interchange z1and z4; and z2and z3.