4. Hash Functions Contents. 4. Hash Functions Message Digest

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "4. Hash Functions Contents. 4. Hash Functions Message Digest"

Transcription

1 Contents 1 / 34 Message Digest Application of Message Digest Message Digest 2 (MD2) Message Digest 4 (MD4) Message Digest 5 (MD5) Secure Hash Standard (SHS) purpose: should should prevent prevent from from falsification Message Digest A Cryptographic hash algorithm - also known as message digest or one-way transformation - is a mathematical transformation. Transformation: message m of arbitrary length fixed length number h(m) It has the following properties: For any message m, it is easy to compute h(m) Given h(m), there is no way to find a message m that hashes to h(m) It is computationally impossible to find two different m and m that hash to the same number h(m) It is necessary for the transformation that the output must not be predictable: If 1000 inputs are selected at random, any particular bit in the 1000 resulting outputs should be 1 about half the time. Each output should have about 50% of 1 bits (with high probability). If two inputs differ only by one bit then the outputs should look like completely independently chosen random numbers. Messages hash values Many Many messages have have the the same same hash hash value value m very complicated easy 2 / 34 h(m) 1

2 Message Digest It should look like someone flipped coins to determine, for each possible input, what the output should be Problem: It is still possible that two outputs have the same value although the inputs were different. The Birthday Problem: (forget about the leap yeas, i.e. Februrary 29) For one person, there are n = 365 distinct birthdays The probability p 1 of different birthdays is n/n For two people, there are 364 (i.e. n-1) different ways that the second could have a birthday without matching the first n ( n 1) n 1 p2 = p2 = n n n n 1 n... p3 = n n! n 1 n 2 K n r + The probability of different birthdays for r people: pr = pr = r 1 r n ( n r)! n The probability of a match is 1 - p r On the average, a match will occur after n steps p r ½ r ½ for for r 23 r p [in [in the the birthday problem] 23 = K K 314 p 50 = / 34 2 n ( )( ) ( 1) Application of a Message Digest If the message digest has k bits, i.e. 2 k different message digests, it would take 2 k/2 messages, chosen at random, to create two outputs with identical values k 128 because it is considered infeasible to search 2 64 messages (current state of the art). 4 / 34 [Rule of the game: If somebody is able (or maybe by pure luck) to create two different messages with the same 128 bit MD, then the whole algorithm for MD construction is considered null and void!!!] HISTORY: With RSA it is possible to digitally sign a message (signature encrypt a message with the private key). But: computing a signature for a long message with RSA is slow. Idea: sign message digest rather than original message The drive for message digest algorithms started with public key cryptography (after the invention of RSA). MD is even used when the message is transmitted in clear just to ensure integrity. 2

3 Application of a Message Digest: Authentication Authentication using a message digest : Alice and Bob share a secret K AB ; Alice wants to know, if Bob is still alive. Alice sends a challenge r A (a random number) Bob concatenates the secret K AB with r A and takes a message digest of that: MD(K AB r A ) Bob sends MD(K AB r A ) to Alice and Alice checks the result (apply the same procedure) 5 / 34 Alice Bob r A MD(K AB r A ) MD(K AB r B ) r B m Application of a Message Digest: Message Integrity Code Use Message Digest to generate a Message Integrity Code (MIC): Only the appropriate sender (say Alice) is able to compute the appropriate MIC for a message m. Obviously, MD(m) is not a MIC for m, since anyone can compute MD(m). Compute a MIC with a shared secret key K AB (same trick as for authentication). 6 / Enemy: m* Alice m, MD(m K AB ) Bob ok or error The MIC (can only be computed if K AB is known, i.e. can only be computed and checked for correctness by Alice and by Bob) Enemy: m*, MD(m*?), i.e. he doesn t know K AB, thus MD(..) is probably nonsense. 3

4 Application of a Message Digest: Encryption Use Message Digest for encryption: Problem: Message digest algorithms are not reversible. Idea: Generate (pseudo) random numbers using Message Digest and use Vernam Cipher (XOR message and random bit stream). Partition the the message into into Alice and Bob need a shared secret K AB chunks m 1, 1, m 2, 2, whose b 1 = MD(K AB IV) c 1 = m 1 b whose length length is is identical 1 to to the the MD MD length, length, e.g. e.g. b 2 = MD(K AB b 1 ) c 2 = m 2 b bits bits b 3 = MD(K AB b 2 ) c 3 = m 3 b b n = MD(K AB b n-1 ) c n = m n b n Alice and Bob can compute b i in advance and need a different IV (Initial Vector) for further encryption, since it is not secure to use the same bit stream twice. 7 / 34 Application of Message Digest: Encryption Problem: If you are able to guess the plaintext, you can XOR the guessed text with the ciphertext and then transmit any false message you like. Solution: mix the plaintext into the bit stream generation. b 1 = MD(K AB IV ) c 1 = m 1 b 1 b 2 = MD(K AB c 1 ) c 2 = m 2 b 2 b 3 = MD(K AB c 2 ) c 3 = m 3 b b n = MD(K AB c n-1 ) c n = m n b n Price to be paid: If a transmission error occurs, the rest of the message will be garbled. 8 / 34 if if m 1, 1,...,..., m n is n is guessed guessed and and if if cc 1, 1,...,..., cc n is n is received, then then the the attacker attacker can can compute b i = i cc i i m i i and and he he can can transmit transmit m 1 *, 1 *,...,..., m n * n by by means means of of cc 1 * 1 = m 1 * 1 b cc n * n = m n * n b n n 4

5 Application of Message Digest Task: Convert a secret key algorithm into a message digest algorithm for arbitrary messages. constant Given: A secret key algorithm with key length k bits and message block length key Chunk 1 m 1 encrypt b bits (e.g. DES: k=56 and b=64). Algorithm: b 1 Split message m into k-bit chunks key m 1, m 2,... Chunk 2 m encrypt 2 Use m 1 as a key to encrypt constant b2 Use m 2 to encrypt the previous result... Use the final b-bit result as message digest message digest Problem: 64 bit message digest is too short (see birthday problem). Generate the second 64-bit quantity using the chunks m 1, m 2,... in reverse order. (This is one of many possible alternatives.) 9 / 34 Application of a Message Digest 10 / 34 Unix uses a secret key algorithm (modified DES algorithm) to compute the hash of a password. The modification is done by a 12-bit number known as salt. Only the hash of the password and the salt are stored. When user types a password, UNIX computes the hash (using the salt) and compares the result with the stored quantity. Algorithm: Generate a 12-bit number. Convert the password into a secret key: pack the 7-bit ASCII associated with This This is is the the secret secret key key without without 8 parity parity bits. bits. each of the 8 characters of the password into a 56-bit quantity (UNIX passwords can be longer than 8 characters, but the remaining bytes are ignored). Use this key with the modified DES algorithm to encrypt 0 (zero). The result of the encryption of zero + the 12 Bit number is stored as the users hashed password. 5

6 Message Digest 2 (MD2) The need for message digest algorithms started with public key cryptography (RSA was invented). Computing a signature on a long message with RSA was to slow (not practical). Need for a cryptographically secure message digest function Ron Rivest developed MD, MD2, MD3, MD4, MD5 Later: SHS (Secure Hash Standard) MD was proprietary and was never published, MD3 was superseeded by MD4 MD2 is documented in RFC 1319, MD4 in RFC 1320, and MD5 in RFC 1321 MD2 overview: The Input to MD is a message with an arbitrary number of bytes. The message is padded to be a multiple of 16 bytes. A 16-byte quantity called checksum is appended (see below). Final pass: The message is processed, 16 bytes at a time, each time producing an intermediate result for the message digest. Each intermediate value of the message digest depends on the previous intermediate value and the value of the message being processed. 11 / 34 MD2 Padding 12 / 34 There must always be padding (even if the length of the original message is a multiple of 16 bytes). If the length of message is a multiple of 16 bytes then add 16 bytes of padding. Else add the necessary number of bytes (1-15) to make the message a multiple of 16 bytes. The message M is a multiple of 16 bytes, say M = k*16 bytes. original message padding r Bytes (1 r 16) each containing r This This trick trick allows allows to to detect detect the the end end of of the the message multiple of 16 bytes bytes End of the message, beginning of padding 6

7 The checksum is a 16-byte quantity. MD2 Checksum Computation It is similar to a message digest, but not cryptographically secure. Algorithm: The checksum C is set to 0. Process message one byte at a time calculation requires k*16 steps. number number of of chunks chunks C n := C n π(c n-1 M n ), π is a substitution function (see substitution table), C = Checksum, M = Message. Byte n of the checksum depends on byte n of the message, byte n-1 of the checksum and the previous value of byte n of the checksum. The substitution of (C n-1 M n ) is specified by the MD2 π substitution table: For example the value 0 is mapped to 41 and the value 1 is mapped to 46, etc. 13 / 34 MD2 Checksum Computation padded message 14 / 34 checksum nth byte M n π substitution 16 byte checksum th (n-1 mod 16) byte c n := c n π(c n-1 M n ) th (n mod 16) byte final chechsum is appended to the message 7

8 MD2 π Substitution Table 15 / Byte structure: 13, 5 ^= = transformed to 99 ^= MD2: Final Pass Input: A message with 16-byte checksum. This This data data stream stream is is processed in in chunks chunks of of bytes bytes each each Algorithm: Initialize a 48-byte block X 0, X 1, X 2,,X 47. Set the first 16 bytes of X to '0', the second 16 bytes to the first 16 bytes of the message and the last 16 bytes to the XOR-combination of the first and second 16 byte parts. Compression function: For j=0 to 17 For k=0 to 47 t = π(x k ) XOR X k X k = t 18 passes for each of the 48 bytes pass pass number number is is used used in in the the computation i.e steps of calculation t = (t+j) mod 256 Set the second 16 bytes of X to the second 16 bytes of the message, and the third 16 bytes of X to the XOR of the first 16 bytes of X and the second 16 bytes of X. Do step (3). Repeat steps (4) and (3) with every 16 bytes of the message, in turn. Output: The first 16 bytes of X 16 / 34 8

9 MD2 Checksum Computation 17 / 34 Initial value = 0 MD intermediate 16 Byte Block Message block padded message with appended 16-byte checksum Byte "-1" 0 Byte 0 Byte n-1 Byte n Byte 47 + pass (0-17) for next message block π substitution Pass 0: 0: c for n from 0 thru 47 C n := C n p(c n-1,m n ) c -1 := -1 := 0 Pass i, i, i>1: cc -1 := -1 := Byte i i mod 256 discarded Final MD2 after checksum processed MD4 MD4 was designed to be 32-bit-word-oriented. MD4 can be computed faster on 32-bit CPUs than the byte-oriented MD2 MD4 Message Padding The message to be fed into MD4 must be a multiple of 512 bits (sixteen 32-bit words). The original message is padded by adding a '1' bit, followed by '0' bits. A 64-bit quantity representing the number of bits in the unpadded message, mod 2 64, is appended to the message. 18 / 34 Padding bits 64 bits original message original length in bits multiple of 512 bits if orig. message has 47 bits, then bits 9

10 MD4: Overview of MD4 computation 19 / 34 The message digest to be computed is a 128-bit quantity (four 32-bit words). The message is processed in 512-bit blocks (sixteen 32-bit words). Each stage of the message digest computation takes the current value and modifies it using the next block of the message. Each stage (512-bit block) constant d 0,d 1,d 2,d 3 padded message has three passes: interm. digest (m Pass 1, Pass 2, Pass 3. 0,m 1,...,m 15 ) constant (d 0,d 1,d 2,d 3 ) is initialized to d 0 = HEX d 1 =89abcdef HEX d 2 =fedcba98 HEX d 3 = HEX d 0,new d 3,new interm. digest interm. digest Message Digest m i,d i consist of 32 bits (i.e. one dword) each. Somebody found "weaknesses" in MD4 if only two passes were uesed. No weakness is known, when all three passes were used. Nevertheless: this observation led to the development of the even stronger algorithm MD5. MD4 Operations 20 / 34 x is the floor of the number x, i.e. the greatest integer not greater than x x is the bitwise complement of the 32-bit quantity x x y is the bitwise 'and' of the 32-bit quantities x and y x y is the bitwise 'or' of the 32-bit quantities x and y is the bitwise 'exclusive or' of the 32-bit quantities x and y x+y is the bitwise binary sum of the 32-bit quantities x and y, with the carry bit of the high order bit discarded x y is the 32-bit quantity produced by taking the 32 bits of x and shifting them one position to the left y times, each time taking the bit shifted off the left end and placing it as the rightmost bit (left rotate) Function for Pass 1: F(x,y,z) = (x y) (~x z) Function for Pass 2: G(x,y,z) = (x y) (x z) (y z) Function for Pass 3: H(x,y,z) = x y z if x=1 then y "door function" else if x=0 then z "selection function G = 1 x +y+z 2 "Threshold function" 10

11 MD4 Pass 1 F(x,y,z) = (x y) (~x z) is known as the selection function if n th bit of x=1 then select n th bit of y for the output if n th bit of x=0 then select n th bit of z for the output 21 / 34 For i=0 to 15 do 2-complement d (-i) 3 =(d (-i) 3 + F(d (1-i) 3, d (2-i) 3, d (3-i) 3 ) + m i ) S 1 (i 3) where S 1 (i) = 3+4i The first few steps of the pass: 2-complement i=5: ^= 1 S 1 (1) = 3+4 = 7 d 0 =(d 0 +F(d 1, d 2, d 3 )+m 0 ) 3 d 3 =(d 3 +F(d 0, d 1, d 2 )+m 1 ) 7 d 2 =(d 2 +F(d 3, d 0, d 1 )+m 2 ) 11 d 1 =(d 1 +F(d 2, d 3, d 0 )+m 3 ) 15 d 0 =(d 0 +F(d 1, d 2, d 3 )+m 4 ) 3 d (-4) 3: ; ; Example: i= i -i = (-i) 3 (1011) (0011) = 0011 d (2-4) 3 = d (-2) MD4 Pass 2 G(x, y, z) = (x y) (x z) (y z) is known as the majority function the output is a 1 if at least two of the three inputs are 1 22 / 34 For i=0 to 15 do d (-i) 3 = (d (-i) 3 +G (d (1-i ) 3,d (2 -i ) 3,d (3 -i ) 3 ) + m X(i) + 5a ) S 2 (i 3) X(i) = 4i-15 i/4 X(i) is the 4-bit number formed by exchanging the low order and high order pairs of bits in the 4-bit number i: i = = X(i) i S 2 (0) = 3, S 2 (1) = 5, S 2 (2) = 9, S 2 (3) = 13 and the constant is 2 30 sqrt(2) = 5a d 0 =(d 0 +G(d 1, d 2, d 3 ) + m 0 ) + 5a ) 3 d 3 =(d 3 +G(d 0, d 1, d 2 ) + m 4 ) + 5a ) 5 d 2 =(d 2 +G(d 3, d 0, d 1 ) + m 8 ) + 5a ) 9 d 1 =(d 1 +G(d 2, d 3, d 0 ) + m 12 ) + 5a ) 13 d 0 =(d 0 +G(d 1, d 2, d 3 ) + m 1 ) + 5a ) 3 11

12 MD4 Pass 3 23 / 34 H(x,y,z) = x y z For i=0 to 15 do d (-i) 3 = (d (-i) 3 + H(d (1-i ) 3, d (2-i) 3, d (3-i) 3 ) + m R(i) + 6ed9eba1 16 ) S 3 (i 3) R(i)= 8i-12 i/2-6 i/4-3 i/8 R(i) is the 4-bit number formed by reversing the order of the bits in the 4-bit number i S 3 (0) = 3, S 3 (1) = 9, S 3 (2) = 11, S 3 (3) = 15 constant is 2 30 sqrt(3) = 6ed9eba1 16 d 0 = (d 0 + H(d 1, d 2, d 3 ) + m 0 ) + 6ed9eba1 16 ) 3 d 3 = (d 3 + H(d 0, d 1, d 2 ) + m 4 ) + 6ed9eba1 16 ) 9 d 2 = (d 2 + H(d 3, d 0, d 1 ) + m 8 ) + 6ed9eba1 16 ) 11 d 1 = (d 1 + H(d 2, d 3, d 0 ) + m 12 ) + 6ed9eba1 16 ) 15 d 0 = (d 0 + H(d 1, d 2, d 3 ) + m 2 ) + 6ed9eba1 16 ) 3 MD5 24 / 34 MD5 is very similar to MD4 but was designed to be more conservative (i.e., less concerned with speed and more concerned with security). Padding in MD5 is identical to the padding in MD4. The major differences are: MD4 makes three passes over each 16-byte chunk of the message. MD5 makes four passes over each 16-byte chunk. The functions are slightly different, as are the number of bits in the shifts. MD4 has two constants, one constant is used for each message word in pass 2, and another constant used for all of the 16 message words in pass 3. No constant is used in pass 1. MD5 uses a different parameters T i for each message word on each pass. Since there are 4 passes, each of which covers 16 messages, there are bit constants used in MD5. T i based on the sine function: T i = 2 32 sin(i) 12

13 MD5 T 1 = d76aa478 T 17 = f61e2562 T 33 = fffa3942 T 49 = f T 2 = e8c7b756 T 18 = c040b340 T 34 = 8771f681 T 50 = 432a ff97 T 3 = db T 19 = 265e5a51 T 35 = 6d9d6122 T 51 = ab9423a7 T 4 = c1bdceee T 20 = e9b6c7aa T 36 = fde5380c T 52 = fc93a039 T 5 = f57c0faf T 21 = d62f105d T 37 = a4beea44 T 53 = 655b59c3 T 6 = 4787c62a T 22 = T 38 = 4bdecfa9 T 54 = 8f0ccc92 T 7 = a T 23 = d8a1e681 T 39 = f6bb4b60 T 55 = ffeff47d T 8 = fd T 24 = e7d3fbc8 T 40 = bebfbc70 T 56 = 85845dd1 T 9 = d8 T 25 = 21e1cde6 T 41 = 289b7ec6 T 57 = 6fa87e4f T 10 = 8b44f7af T 26 = c33707d6 T 42 = eaa127fa T 58 = fe2ce6e0 T 11 = ffff5bb1 T 27 = f4d50d87 T 43 = d4ef3085 T 59 = a T 12 = 895cd7be T 28 = 455a14ed T 44 = 04881d05 T 60 = 4e0811a1 T 13 = 6b T 29 = a9e3e905 T 45 = d9d4d039 T 61 = f7537e82 T 14 = fd T 30 = fcefa3f8 T 46 = e6db99e5 T 62 = bd3f235 T 15 = a679438e T 31 = 676f02d9 T 47 = 1fa27cf8 T 63 = 2ad7d2bb T 16 = 49b40821 T 32 = 8d2a4c8a T 48 = c4ac5665 T 64 = eb86d / 34 T i = 2 32 sin(i) MD5: Overview of the MD5 Computation 26 / 34 Like MD4, MD5 processes the message in 512-bit (sixteen 32-bit words) blocks. The message digest is a 128-bit quantity (four 32-bit words). Each stage of the message digest computation takes the current value and modifies it using the next block of the message Each stage (512-bit block) makes four passes. constant is initialized to d 0 = HEX d 1 =89abcdef HEX d 2 =fedcba98 HEX d 3 = HEX constant d 0, d 1, d 2, d 3 digest digest digest m 0, m 1,...,m 15 padded message Message Digest 13

14 MD5 Pass 1 F(x, y, z) = (x y) (~x z) is known as the selection function if n th bit of x=1 then select n th bit of y for the output if n th bit of x=0 then select n th bit of z for the output 27 / 34 i For i=0 to 15 do d (-i) 3 =d (1-i) 3 + (d (-i) 3 + F(d (1-i) 3, d (2-i) 3, d (3-i) 3 ) + m i + T i +1 ) S 1 (i 3) where S 1 (i) = 7+5i The first few steps of the pass: " " cycles over 7, 12, 17, 22 d 0 = d 1 + (d 0 +F(d 1, d 2, d 3 ) + m 0 +T 1 ) 7 d 3 = d 0 + (d 3 +F(d 0, d 1, d 2 ) + m 1 +T 2 ) 12 d 2 = d 3 + (d 2 +F(d 3, d 0, d 1 ) + m 2 +T 3 ) 17 d 1 = d 2 + (d 1 +F(d 2, d 3, d 0 ) + m 3 +T 4 ) 22 d 0 = d 1 + (d 0 +F(d 1, d 2, d 3 ) + m 4 +T 5 ) 7 MD5 Pass 2 G(x, y, z) = (x z) (y ~z) is different in MD5 the n th bit of z is used to select the n th bit in x or y G(0010, 1011, 1001) = / 34 For i=0 to 15 do d (-i) 3 = d (1-i) 3 +(d (-i) 3 +G(d (1-i) 3,d (2-i) 3, d (3-i) 3 ) + m (5i+1) 15 + T i+17 ) S 2 (i 3) S 2 (i) = i(i+7)/2 + 5 why not e.g. i (i+1)/2+14??? The first few steps of the pass: d 0 = d 1 + (d 0 + G(d 1, d 2, d 3 ) + m 1 + T 17 ) 5 d 3 = d 0 + (d 3 + G(d 0, d 1, d 2 ) + m 6 + T 18 ) 9 d 2 = d 3 + (d 2 + G(d 3, d 0, d 1 ) + m 11 + T 19 ) 14 d 1 = d 2 + (d 1 + G(d 2, d 3, d 0 ) + m 0 + T 20 ) 20 d 0 = d 1 + (d 0 + G(d 1, d 2, d 3 ) + m 5 + T 21 ) 5 14

15 MD5 Pass 3 H(x,y,z) = x y z (as in MD4) For i=0 to 15 do d (-i) 3 = d (1-i) 3 + (d (-i) 3 + H(d (1-i) 3, d (2-i) 3, d (3-i) 3 ) + m (3i+5) 15 + T i+33 ) S 3 (i 3) 29 / 34 S 3 (0) = 4, S 3 (1) = 11, S 3 (2) = 16, S 3 (3) = 23 The first few steps of the pass: d 0 = d 1 + (d 0 + H(d 1, d 2, d 3 ) + m 5 + T 33 ) 4 d 3 = d 0 + (d 3 + H(d 0, d 1, d 2 ) + m 8 + T 34 ) 11 d 2 = d 3 + (d 2 + H(d 3, d 0, d 1 ) + m 11 + T 35 ) 16 d 1 = d 2 + (d 1 + H(d 2, d 3, d 0 ) + m 14 + T 36 ) 23 d 0 = d 1 + (d 0 + H(d 1,d 2, d 3 ) + m 1 + T 37 ) 4 I(x, y, z) = y (x ~z) MD5 Pass 4 30 / 34 For i=0 to 15 do d (-i) 3 = d (1-i) 3 +(d (-i) 3 + I(d (1-i) 3,d (2-i) 3, d (3-i) 3 ) + m (7i) 15 + T i+49 ) S 4 (i 3) S 4 (i) = (i+3) (i+4)/2 The first few steps of the pass: d 0 = d 1 + (d 0 + I(d 1, d 2, d 3 ) + m 0 + T 49 ) 6 d 3 = d 0 + (d 3 + I(d 0, d 1, d 2 ) + m 7 + T 50 ) 10 d 2 = d 3 + (d 2 + I(d 3, d 0, d 1 ) + m 14 + T 51 ) 15 d 1 = d 2 + (d 1 + I(d 2, d 3, d 0 ) + m 5 + T 52 ) 21 d 0 = d 1 + (d 0 + I(d 1, d 2, d 3 ) + m 12 + T 53 ) 6... d 1 = d 2 + (d 1 + I(d 2, d 3, d 0 ) + m 9 + T 64 ) 21 Private Question: -Why four passes? -Why not five or or six, maybe ten? 15

16 gener ierte Daten SHS (Secure Hash Standard) 31 / 34 SSH was proposed by NIST (it is similar to MD5, but slightly slower). Message Digest It can handle messages of up to 2 64 bits, and it produces a 160-bit output (5*32-bit). Like MD4 and MD5, SHS operates in stages (in 512-bit blocks). The message digest is a 160-bit quantity (five 32-bit words). Each stage (512-bit block) encompasses five passes constant is initialized to A = , B = efcdab89 16, C = 98badcfe 16, D = and E = c3d2e1f0 16 Requires a buffer of eighty 32-bit words (5 x 512 bits): W 0, W 1,..., W 79 constant A, B, C, D, E digest A NEW,..., E NEW digest digest Message Digest NIST: National Institute for for Standards and Technology padded message 1 1 Bible Bible Megabit Megabit (2 ( ) 2 ) 2 = = Bibles Bibles SHS 32 / 34 1 in revised version W 79 W 0 a 0 generated data { 16 words of message... a 15 aa n := n := aa n-3 n-3 aa n-14 n-14 aa n-16 (n n-16 (n 16) 16) [original Version] aa n := n :=(a(a n-3 n-3 aa n-14 n-14 aa n-16 ) n-16 ) 1 (n (n 16) 16) [revised Version] complicated function f (see below) 160-Bit intermediate MD value A B C D E 30 A B C D E new intermediate MD (final MD) the n th word of the block is the XOR combination of the following words: n-3, n-8, n-14, n-16 (in the revised version of SHS the XOR of words is rotated left one bit) 16

17 SHS 33 / 34 For t=0 to 79, modify A, B, C, D, and E as follows: B t+1 = A t C t+1 = B t 30 D t+1 = C t E t+1 = D t A t+1 = E t + (A t 5 )+ W t + K t + f (t, B t, C t, D t ) K t is a constant, but it varies with the words processed: K t = 2 30 sqrt(2) = 5a (0 t 19) K t = 2 30 sqrt(3) = 6ed9eba1 16 (20 t 39) K t = 2 30 sqrt(5) = 8f1bbcdc 16 (40 t 59) K t = 2 30 sqrt(10) = ca62c16 16 (60 t 79) (A t+1,...,e t+1 ) = Funct(A t,...,e t ) W t, K t W t depends on the message; K t is a constant (for each quarter of the section) SHS 34 / 34 f(t, B, C, D) is a function that varies with the words it is applied to: f (t,b,c,d )= (B C ) ( ~B D ) (0 t 19) f (t,b,c,d )= B C D (20 t 39) f (t,b,c,d )= (B C ) (B D ) (C D) (40 t 59) f (t,b,c,d )= B C D (60 t 79) 17