Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Other Schemes

Ralph Merkle proposed a scheme using DES, but it’s slow; it only processes seven message bits per iteration and each iteration involves two DES encryptions [1065, 1069]. Another scheme [1642, 1645] is insecure [1267]; it was once proposed as an ISO standard.

### 18.12 Using Public-Key Algorithms

It is possible to use a public-key encryption algorithm in a block chaining mode as a one-way hash function. If you then throw away the private key, breaking the hash would be as difficult as reading the message without the private key.

Here’s an example using RSA. If M is the message to be hashed, n is the product of two primes p and q, and e is another large number relatively prime to (p - 1)(q - 1), then the hash function, H(M ), would be

H(M ) = Me mod n

An even easier solution would be to use a single strong prime as the modulus p. Then:

H(M ) = Me mod p

Breaking this problem is probably as difficult as finding the discrete logarithm of e. The problem with this algorithm is that it’s far slower than any others discussed here. I don’t recommend it for that reason.

### 18.13 Choosing a One-Way Hash Function

The contenders seem to be SHA, MD5, and constructions based on block ciphers; the others really haven’t been studied enough to be in the running. I vote for SHA. It has a longer hash value than MD5, is faster than the various block-cipher constructions, and was developed by the NSA. I trust the NSA’s abilities at cryptanalysis, even if they don’t make their results public.

Table 18.2 gives timing measurements for some hash functions.y They are meant for comparison purposes only.

### 18.14 Message Authentication Codes

A message authentication code, or MAC, is a key-dependent one-way hash function. MACs have the same properties as the one-way hash functions discussed previously, but they also include a key. Only someone with the identical key can verify the hash. They are very useful to provide authenticity without secrecy.

MACs can be used to authenticate files between users. They can also be used by a single user to determine if his files have been altered, perhaps by a virus. A user could compute the MAC of his files and store that value in a table. If the user used instead a one-way hash function, then the virus could compute the new hash value after infection and replace the table entry. A virus could not do that with a MAC, because the virus does not know the key.

Table 18.2
Speeds of Some Hash Functions on a 33 MHz 486SX

Algorithm Hash Length Encryption Speed (kilobytes/second)

Abreast Davies-Meyer (with IDEA) 128 22
Davies-Meyer (with DES) 64 9
GOST Hash 256 11
HAVAL (3 passes) variable 168
HAVAL (4 passes) variable 118
HAVAL (5 passes) variable 95
MD2 128 23
MD4 128 236
MD5 128 174
N-HASH (12 rounds) 128 29
N-HASH (15 rounds) 128 24
RIPE-MD 128 182
SHA 160 75
SNEFRU (4 passes) 128 48
SNEFRU (8 passes) 128 23

An easy way to turn a one-way hash function into a MAC is to encrypt the hash value with a symmetric algorithm. Any MAC can be turned into a one-way hash function by making the key public.

CBC-MAC

The simplest way to make a key-dependent one-way hash function is to encrypt a message with a block algorithm in CBC or CFB modes. The hash is the last encrypted block, encrypted once more in CBC or CFB modes. The CBC method is specified in ANSI X9.9 [54], ANSI X9.19 [56], ISO 8731-1 [759], ISO 9797 [763], and an Australian standard [1496]. Differential cryptanalysis can break this scheme with reduced-round DES or FEAL as the underlying block algorithms [1197].

The potential security problem with this method is that the receiver must have the key, and that key allows him to generate messages with the same hash value as a given message by decrypting in the reverse direction.

Message Authenticator Algorithm (MAA)

This algorithm is an ISO standard [760]. It produces a 32-bit hash, and was designed for mainframe computers with a fast multiply instruction [428].

v = v <<< 1
e = vw
x = ((((e + y ) mod 232) ⊦ A⊥ C) * (xMi)) mod 232 - 1
y = ((((e + x) mod 232) ⊦ B⊥ D) * (yMi)) mod 232 - 2

Iterate these for each message block, Mi, and the resultant hash is the XOR of x and y. The variables v and e are determined from the key. A, B, C, and D are constants.

This algorithm is probably in wide use, but I can’t believe it is all that secure. It was designed a long time ago, and isn’t very complicated.

[an error occurred while processing this directive]