Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

*Other Schemes*

Ralph Merkle proposed a scheme using DES, but it’s slow; it only processes seven message bits per iteration and each iteration involves two DES encryptions [1065, 1069]. Another scheme [1642, 1645] is insecure [1267]; it was once proposed as an ISO standard.

It is possible to use a public-key encryption algorithm in a block chaining mode as a one-way hash function. If you then throw away the private key, breaking the hash would be as difficult as reading the message without the private key.

Here’s an example using RSA. If *M* is the message to be hashed, *n* is the product of two primes *p* and *q,* and *e* is another large number relatively prime to (*p* - 1)(*q* - 1), then the hash function, H(*M* ), would be

- H(
*M*) =*M*mod^{e}*n*

An even easier solution would be to use a single strong prime as the modulus *p*. Then:

- H(
*M*) =*M*mod^{e}*p*

Breaking this problem is probably as difficult as finding the discrete logarithm of *e*. The problem with this algorithm is that it’s far slower than any others discussed here. I don’t recommend it for that reason.

The contenders seem to be SHA, MD5, and constructions based on block ciphers; the others really haven’t been studied enough to be in the running. I vote for SHA. It has a longer hash value than MD5, is faster than the various block-cipher constructions, and was developed by the NSA. I trust the NSA’s abilities at cryptanalysis, even if they don’t make their results public.

Table 18.2 gives timing measurements for some hash functions.y They are meant for comparison purposes only.

A message authentication code, or MAC, is a key-dependent one-way hash function. MACs have the same properties as the one-way hash functions discussed previously, but they also include a key. Only someone with the identical key can verify the hash. They are very useful to provide authenticity without secrecy.

MACs can be used to authenticate files between users. They can also be used by a single user to determine if his files have been altered, perhaps by a virus. A user could compute the MAC of his files and store that value in a table. If the user used instead a one-way hash function, then the virus could compute the new hash value after infection and replace the table entry. A virus could not do that with a MAC, because the virus does not know the key.

Table 18.2 Speeds of Some Hash Functions on a 33 MHz 486SX | ||
---|---|---|

Algorithm | Hash Length | Encryption Speed (kilobytes/second) |

Abreast Davies-Meyer (with IDEA) | 128 | 22 |

Davies-Meyer (with DES) | 64 | 9 |

GOST Hash | 256 | 11 |

HAVAL (3 passes) | variable | 168 |

HAVAL (4 passes) | variable | 118 |

HAVAL (5 passes) | variable | 95 |

MD2 | 128 | 23 |

MD4 | 128 | 236 |

MD5 | 128 | 174 |

N-HASH (12 rounds) | 128 | 29 |

N-HASH (15 rounds) | 128 | 24 |

RIPE-MD | 128 | 182 |

SHA | 160 | 75 |

SNEFRU (4 passes) | 128 | 48 |

SNEFRU (8 passes) | 128 | 23 |

An easy way to turn a one-way hash function into a MAC is to encrypt the hash value with a symmetric algorithm. Any MAC can be turned into a one-way hash function by making the key public.

*CBC-MAC*

The simplest way to make a key-dependent one-way hash function is to encrypt a message with a block algorithm in CBC or CFB modes. The hash is the last encrypted block, encrypted once more in CBC or CFB modes. The CBC method is specified in ANSI X9.9 [54], ANSI X9.19 [56], ISO 8731-1 [759], ISO 9797 [763], and an Australian standard [1496]. Differential cryptanalysis can break this scheme with reduced-round DES or FEAL as the underlying block algorithms [1197].

The potential security problem with this method is that the receiver must have the key, and that key allows him to generate messages with the same hash value as a given message by decrypting in the reverse direction.

*Message Authenticator Algorithm (MAA)*

This algorithm is an ISO standard [760]. It produces a 32-bit hash, and was designed for mainframe computers with a fast multiply instruction [428].

*v*=*v*<<< 1*e*=*v*⊕*w**x*= ((((*e*+*y*) mod 2^{32}) ⊦ A⊥ C) * (*x*⊕*M*_{i})) mod 2^{32}- 1*y*= ((((*e + x*) mod 2^{32}) ⊦ B⊥ D) * (*y*⊕*M*_{i})) mod 2^{32}- 2

Iterate these for each message block, *M*_{i}, and the resultant hash is the XOR of *x* and *y*. The variables *v* and *e* are determined from the key. A, B, C, and D are constants.

This algorithm is probably in wide use, but I can’t believe it is all that secure. It was designed a long time ago, and isn’t very complicated.

Previous | Table of Contents | Next |