User's blog

Hash and MAC Algorithms

Written by

Pooja Kotwani

in

Secure Hash Functions

SHA-1, or Secure Hash Algorithm 1, is a cryptographic algorithm that generates a 160-bit (20-byte) hash value from an input. This hash value, often referred to as the message digest, is usually represented as a 40-character hexadecimal number. Initially designed by the United States National Security Agency (NSA), SHA-1 became a U.S. Federal Information Processing Standard. However, it has been considered insecure since 2005, with major tech companies like Microsoft, Google, Apple, and Mozilla ceasing to accept SHA-1 SSL certificates by 2017.

SHA-1 Hash

SHA-1 Algorithm Overview

The SHA-1 algorithm involves several key components and processes to generate a hash. Here’s a breakdown of each step involved:

Components and Process Flow:

  1. Message (M): The original input message that needs to be hashed.
  2. Message Padding: The message is padded to meet the length requirement, ensuring the message’s length is congruent to 448 modulo 512. This step prepares the message for processing in 512-bit blocks.
  3. Round Word Computation (WtW_tWt): After padding, the message is split into 512-bit blocks, which are then divided into 16 words of 32 bits. These words are expanded into 80 32-bit words, which are used in the rounds.
  4. Round Initialization (A, B, C, D, and E): Five working variables (A, B, C, D, and E) are initialized with specific constant values, which are used in iterative calculations.
  5. Round Constants (KtK_tKt): SHA-1 uses four constant values applied to different rounds:
    • K1 for rounds 0-19
    • K2 for rounds 20-39
    • K3 for rounds 40-59
    • K4 for rounds 60-79
  6. Rounds (0-79): The main processing loop consists of 80 rounds, divided into four stages, each using different constants. In each round, logical operations are performed on the working variables (A, B, C, D, and E) using the message words.
  7. Final Round Addition: After all 80 rounds, the final values of the working variables are added to the original hash values.
  8. MPX (Multiplexing): The results from the final addition are combined to form the final message digest.

Summary:

  • Input (Message M): The process starts with the input message.
  • Message Padding: The message is padded to meet the necessary length.
  • Word Computation: The padded message is split into blocks and further into words, which are then expanded.
  • Initialization: Initial hash values are set.
  • Round Processing: The 80 rounds of processing are performed using the words and constants.
  • Final Addition: The round results are added to the initial hash values.
  • Output (Hash Value): The final hash value is generated.
Cryptographic Hash Functions in Java

In Java, the MessageDigest class from the java.security package is used to calculate cryptographic hash values. The following hash functions are supported:

  • MD2
  • MD5
  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512

These algorithms can be initialized using the static getInstance() method. After selecting the algorithm, the message digest is calculated and returned as a byte array. The BigInteger class can be used to convert the byte array to its signum representation, which is then converted into hexadecimal format to produce the final message digest.

3. Hash Function: A hash function is a mathematical process that compresses input data into a fixed-length numeric value. Regardless of the input length, the output remains consistent in size, known as the hash value or message digest.

Example of SHA-1 in Java

  1. Input: hello world
    Output:     2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
  2. Input: GeeksForGeeks
    Output:     addf120b430021c36c232c99ef8d926aea2acd6b

Java Program to Compute SHA-1 Hash

// Java program to calculate SHA-1 hash value
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class GFG {
    public static String encryptThisString(String input) {
        try {
            // getInstance() method is called with algorithm SHA-1
            MessageDigest md = MessageDigest.getInstance("SHA-1");

            // digest() method is called to calculate the message digest of the input string
            byte[] messageDigest = md.digest(input.getBytes());

            // Convert byte array into signum representation
            BigInteger no = new BigInteger(1, messageDigest);

            // Convert message digest into hex value
            String hashtext = no.toString(16);

            // Add preceding 0s to make it 40 digits long
            while (hashtext.length() < 40) {
                hashtext = "0" + hashtext;
            }

            // return the HashText
            return hashtext;
        }
        catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    // Driver code
    public static void main(String args[]) throws NoSuchAlgorithmException {
        System.out.println("HashCode Generated by SHA-1 for:");

        String s1 = "GeeksForGeeks";
        System.out.println("\n" + s1 + " : " + encryptThisString(s1));

        String s2 = "hello world";
        System.out.println("\n" + s2 + " : " + encryptThisString(s2));
    }
}

Output:

HashCode Generated by SHA-1 for:

GeeksForGeeks : addf120b430021c36c232c99ef8d926aea2acd6b

hello world : 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed

Whirlpool Hash Function

Whirlpool is a cryptographic hash function designed by Paulo S.L.M. Barreto and Vincent Rijmen, the co-creator of AES. It was submitted to the NESSIE (New European Schemes for Signatures, Integrity, and Encryption) project and is among the recommended hash functions alongside SHA-256, SHA-384, and SHA-512. Whirlpool is based on a 512-bit block cipher with structural similarities to Rijndael (AES). Unlike other block ciphers, the block cipher used in Whirlpool is dedicated solely for hashing and not for standalone encryption. Designed for both software and hardware implementations, it aims for compactness and performance.

Goals of Whirlpool Hash Function

The primary security goals for Whirlpool include:

  • Collision Resistance: The expected workload to generate a collision (two messages producing the same hash) is around 2^(n/2) executions of Whirlpool.
  • Preimage Resistance: Finding a message corresponding to a given hash value is expected to require 2^n executions.
  • Second Preimage Resistance: Finding another message that matches an existing hash output also requires 2^n executions.
  • Resistance to Differential Attacks: It is infeasible to detect patterns or correlations between input bits and hash results.
  • Avalanche Effect: Flipping even a single input bit results in significant changes across the hash output.
How Whirlpool Works

The Whirlpool hash function processes data through multiple steps involving padding, message length encoding, matrix initialization, and block cipher processing.

Function Definition

The hash function can be described as:

Where:

  • mi are message blocks.
  • W is the Whirlpool block cipher.
  • Ht​ is the final hash output.
Steps for Generating the Whirlpool Digest:
  1. Padding the Message: Message is padded to odd multiple of 256 bits. In the case where the unpadded message is already of that length it is padded with 512 bits (2×256), which is the maximum padding length. Minimum is naturally 1 bit. The first padding bit is always 1 and the rest are zeros.
  2. Appending the Message Length: The length of the unpadded message is appended to the message. The length is expressed as a
    256 bit unsigned integer, with the most significant byte being the leftmost.
    After this step the message length is n x 512 bits (n=1, 2, …)
  3. Initializing the Hash Matrix: The results of the hash function (both intermediate and final) and stored in an 8×8 matrix. Each element of the matrix is 8 bits (a byte) of the message, thus the hash matrix holds 512 bits in
    total. The first matrix H0 is initialized with zeros (each byte is 0000 0000)Block Cipher
  4. Transformation: The message is divided into 512-bit blocks. Each block is processed using a dedicated 512-bit block cipher..
Block cipher W

The block cipher W has similar structure and uses same elementary functions as AES. W uses 512-bit keys and 512-bit blocks while block length of AES is 128 and key length is 128, 192 or 256. W operates with 8×8 byte matrixes because it’s faster than using for example 4×16 matrixes. 4×16 byte matrix requires more rounds than 8×8 byte matrix.

Overall Structure
The encryption algorithm takes 512-bit plaintext block and 512-bit key as input and produces 512- bit cipher text as output. The encryption algorithm uses four different functions or transformations: add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). Overall structure of W block cipher is shown in Before first round W, consists single application of AK, that’s followed by ten rounds that involve use of all four operations. One round can be expressed as round function RF

where Kis the round key matrix for round r.
The overall algorithm can be defined as follows:

Large circle indicates iteration of composition function, with index r running from 1 to 10. Plaintext input to W is single 512-bit block. Block is 8×8 byte matrix labelled CState. First eight bytes of 512 bit plaintext input are put in first row of the matrix. Second eight bytes to second row and so on. Whirlpool uses 512-bit key, called KState. Like CState, KState is also a 8×8 matrix. Key is used as input to initial AK function. On rounds 2 to 10 previous hash value is used as a key. So, output ofnthe first round is the key for the second round . AK function is described in more detailnlater.

Substitute byte (SB)
In Whirlpool, the substitution box (S-box) is a 16×16 table which contains all possible 8- bit values, i.e. 256 permutations. S-box is used for nonlinear mapping. Here is how: Take four leftmost bits from a CState byte and use them as a row indicator for S-Box and take four rightmost bits and use them for a column index. Look up the proper 8-bit value from S-box using these indices and you have the output value.

Mathematically the function can be expressed as follows:

where B is the output, A is the CState and bi,j  is the value of S-box and ai,j  represents the individual byte of CState. Indices i and j range from zero to seven (CState is 8 by 8 matrix). S here represents the process of S-box mapping.

E-Box is defiened as 

Shift Columns (SC)
The permutation layer makes each column of CState to shift downwards circularly, except the first column. To second column, a 1-byte shift is performed. For the third column, a 2-byte shift is performed. This is made to each column. SC Function, where A is input matrix and B is output matrix:

Mix rows (MR)
MR function is the linear diffusion layer of Whirlpool block cipher. For diffusion functions, each output bit is affected by several input bits.

Add Round Key(AK)
In this the 512 bits of the round key is goes through XOR with 512 bit of current state.

The round key, K, used in the AK layer is generated using the very cipher itself. For key expansion, the round constant acts as the round key for the add key layer. The round constant for row r can be defined as follows:

Key expansion
The round key, K, used in the AK layer is generated using the very cipher itself. For key expansion, the round constant acts as the round key for the add key layer. The round constant for row r can be defined as follows:

Security

The Whirlpool hash function is optimized for both hardware and software implementations, making it suitable for a wide range of platforms, including devices with limited storage such as smart cards. One of its key advantages is its minimal storage requirements, which allow it to function effectively even in constrained environments. Its design also enables high performance, particularly on platforms with larger cache memory, where it can achieve faster processing speeds. Additionally, Whirlpool’s long hash length of 512 bits offers strong protection against birthday attacks by significantly reducing the probability of collisions. The extended length also contributes to better entropy containment, making it suitable for use in certain classes of pseudo-random number generators. When compared to other hash functions like MD5 and SHA-256, Whirlpool tends to perform faster due to requiring fewer processing rounds while still maintaining a high level of security.

Implementation
  • Whirlpool is optimized for both hardware and software implementations.
  • It performs well on platforms with limited storage (e.g., smart cards).
  • Key properties include:
    • Efficiency: Minimal storage requirements.
    • Performance: Works well with larger caches for better speed.
    • Long Hash Length: The 512-bit hash provides strong protection against birthday attacks and ensures good entropy containment for pseudo-random number generation.
  • Hardware Performance: Faster than other hash functions like MD5 and SHA-256 due to fewer processing rounds.
Comparison to Alternatives

AES (Advanced Encryption Standard)

  • Whirlpool shares a structural similarity with AES.
  • Both use substitution-permutation networks and matrix transformations.
  • AES uses 128, 192, or 256-bit keys, while Whirlpool uses a 512-bit key and block size.
  • Whirlpool is dedicated to hashing, while AES is a block cipher for encryption.

SHA-512

  • Both Whirlpool and SHA-512 produce 512-bit hash outputs.
  • On 64-bit processors, Whirlpool is competitive with SHA-512 but slightly slower for double message hashing.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts