CA2237941C - Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions - Google Patents
Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions Download PDFInfo
- Publication number
- CA2237941C CA2237941C CA002237941A CA2237941A CA2237941C CA 2237941 C CA2237941 C CA 2237941C CA 002237941 A CA002237941 A CA 002237941A CA 2237941 A CA2237941 A CA 2237941A CA 2237941 C CA2237941 C CA 2237941C
- Authority
- CA
- Canada
- Prior art keywords
- bits
- generators
- generating
- input
- exclusive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/582—Pseudo-random number generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/20—Manipulating the length of blocks of bits, e.g. padding or block truncation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Abstract
The cryptographic hash function circuit (300) has tables (301, 302, ... 303) and has inputs of ci(j) on the input buses (311, 312,... 313) to the tables (301, 302, ... 303) making outputs on the output buses (321, 322, ... 323) that feed into an exclusive-OR gate (331). The output of the exclusive-OR gate is kj on bus (351). The key K is the concatenation of the eight kj's.
Description
CA 02237941 1998-0~
wo 97/18652 PCT/US96tl7449 EFFICE:NT CRYPTOGRAPHIC HASH FUNCTIONS
AND METHODS FOR AMPLIFYING THE SECURITY OF
HASH FUNCTIONS AND PSEUDO-RANDOM FUNCTIONS
Field of the Tnv~ntioIl This invention relates generally to hash function generators and, more specifically, to circuitry and a concomitant methodology for the efflcient generation of cryptographic hash function bits.
Rq~keronnd of the Tnv~ntion A cryptographic hash function (CHF) i9 a basic cryptographic 10 primitive and a~ such it has been widely investigated. Informally, a ha~h function is any function which takes as input a long string of bits and returns a short, fairly random string of bits. Basically, a cryptographic hash function is a hash function with the additional property that finding two input strings which map to the same output string is cGll",u~ationally infeasible. There are actually 15 several variations in the definition of a CHF ~ the distinctions among the variations will be discus~ed shortly.
Cryptographic hash functions have a wide variety of applications.
For mot*ational purposes, several applications are briefly outlined. These applications of cryptographic hash function~ are not exhaustive-- they are simply 20 meant to be illustrative of their broad cryptographic utility. Cryptographic hash functions are used for virus protection and data security. That is, rather than storing an entire program or an entire data set securely, one need only store the cryptographic hash of the program or the data set securely. Before u~ing the program or data set, one first computes the hash value and checks it with the 25 securely ~tored hash value. In this way, any change to the data or the pro~la~
will be detected. Also, cryptographic hash functions are used in a similar manner to implement tamper-proof digital time-stqrnrs.
In addition, cryptographic ha~h function~ can be used to implement unforgeable digital signatures. Such a digital signature is quite complicated, 30 however, comrq~ed to digital signatures ba~ed on public-key cryptosystems.
Unfortunately, public-key digital qignatures require an inordinate amount of time to co~ ute for large documents. An efflcient and simple digital signature scheme SUBSTITUTE SHEET (RULE 26) i9 achieved by combining cryptographic h~hing with the public-key cryptosystem: a cry~tographic hash value of a large document i9 first computed, and that i9 subsequently signed using the public-key srh~m~
Another use of hash functions can be seen in the following example.
S Suppose parties A and B share a secret 9~ and A wishes to authenticate itself to B.
B can send a ch~llPnge c to A in the clear. A computes the cryptographic hash value of (c,s) and sends it to B. B accepts the authenticity of A if the value it rece;~ is the same as the cryptographic hash value of (c,s) that it privately computed.
Thus far the distinctions between several types of CHFs have been ignored. The two most important variants are now described. The first is called a Universal One-way Hash Function. Such a hash function is indexed by a key.
The key is chosen uniformly and independently of the input string. Given the input and the key (and, thus, the hash value), finding another input with the 15 same hash value i9 infeasible with very high probability. Universal Hash Functions are known to exist if One Way Functions (i.e., functions which are easy to compute but infeasible to invert) exist.
The second variant is called a One-Way Hash Function (OWHF).
A OWHF may or may not be indexed by a key. For a OWHF, finding two 20 inputs (and the key if it is a keyed function) which hash to the same value i9 comput~;on~lly infeasible. Note that OWHFs resist stronger attacks than UHFs.
This makes them both more useful and more difflcult to design. Indeed, currently it is not known whether One Way Functions are sufflcient to design OWHFs.
The art is devoid of te~rhingq or suggestions wherein a OW~: (1) uses a strong pseudo-random generator; (2) uses input data to create high quality, pseudo-random keys as indicies to pseudo-random functions; and (3) generates a pseudo-random function from 2n bits to 2n bits given a pseudo-random function from n bits to n bits.
30 Sllmm~y of the ~nvention These shortcomings as well as other deficiencies and limitations in the art are obviated, in accordance with the present invention, in which the One-Way Hash Function generator, in contrast to the prior art: (1) uses a strongpseudo-random generator ~ only recently have strong pseudo-random generators 35 become efflcient enough to be practical for use in the design of a OW~; and (2) generates a pseudo-random function from 2n bits to 2n bits given a pseudo-SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
wo 97/18652 PCT/US96tl7449 EFFICE:NT CRYPTOGRAPHIC HASH FUNCTIONS
AND METHODS FOR AMPLIFYING THE SECURITY OF
HASH FUNCTIONS AND PSEUDO-RANDOM FUNCTIONS
Field of the Tnv~ntioIl This invention relates generally to hash function generators and, more specifically, to circuitry and a concomitant methodology for the efflcient generation of cryptographic hash function bits.
Rq~keronnd of the Tnv~ntion A cryptographic hash function (CHF) i9 a basic cryptographic 10 primitive and a~ such it has been widely investigated. Informally, a ha~h function is any function which takes as input a long string of bits and returns a short, fairly random string of bits. Basically, a cryptographic hash function is a hash function with the additional property that finding two input strings which map to the same output string is cGll",u~ationally infeasible. There are actually 15 several variations in the definition of a CHF ~ the distinctions among the variations will be discus~ed shortly.
Cryptographic hash functions have a wide variety of applications.
For mot*ational purposes, several applications are briefly outlined. These applications of cryptographic hash function~ are not exhaustive-- they are simply 20 meant to be illustrative of their broad cryptographic utility. Cryptographic hash functions are used for virus protection and data security. That is, rather than storing an entire program or an entire data set securely, one need only store the cryptographic hash of the program or the data set securely. Before u~ing the program or data set, one first computes the hash value and checks it with the 25 securely ~tored hash value. In this way, any change to the data or the pro~la~
will be detected. Also, cryptographic hash functions are used in a similar manner to implement tamper-proof digital time-stqrnrs.
In addition, cryptographic ha~h function~ can be used to implement unforgeable digital signatures. Such a digital signature is quite complicated, 30 however, comrq~ed to digital signatures ba~ed on public-key cryptosystems.
Unfortunately, public-key digital qignatures require an inordinate amount of time to co~ ute for large documents. An efflcient and simple digital signature scheme SUBSTITUTE SHEET (RULE 26) i9 achieved by combining cryptographic h~hing with the public-key cryptosystem: a cry~tographic hash value of a large document i9 first computed, and that i9 subsequently signed using the public-key srh~m~
Another use of hash functions can be seen in the following example.
S Suppose parties A and B share a secret 9~ and A wishes to authenticate itself to B.
B can send a ch~llPnge c to A in the clear. A computes the cryptographic hash value of (c,s) and sends it to B. B accepts the authenticity of A if the value it rece;~ is the same as the cryptographic hash value of (c,s) that it privately computed.
Thus far the distinctions between several types of CHFs have been ignored. The two most important variants are now described. The first is called a Universal One-way Hash Function. Such a hash function is indexed by a key.
The key is chosen uniformly and independently of the input string. Given the input and the key (and, thus, the hash value), finding another input with the 15 same hash value i9 infeasible with very high probability. Universal Hash Functions are known to exist if One Way Functions (i.e., functions which are easy to compute but infeasible to invert) exist.
The second variant is called a One-Way Hash Function (OWHF).
A OWHF may or may not be indexed by a key. For a OWHF, finding two 20 inputs (and the key if it is a keyed function) which hash to the same value i9 comput~;on~lly infeasible. Note that OWHFs resist stronger attacks than UHFs.
This makes them both more useful and more difflcult to design. Indeed, currently it is not known whether One Way Functions are sufflcient to design OWHFs.
The art is devoid of te~rhingq or suggestions wherein a OW~: (1) uses a strong pseudo-random generator; (2) uses input data to create high quality, pseudo-random keys as indicies to pseudo-random functions; and (3) generates a pseudo-random function from 2n bits to 2n bits given a pseudo-random function from n bits to n bits.
30 Sllmm~y of the ~nvention These shortcomings as well as other deficiencies and limitations in the art are obviated, in accordance with the present invention, in which the One-Way Hash Function generator, in contrast to the prior art: (1) uses a strongpseudo-random generator ~ only recently have strong pseudo-random generators 35 become efflcient enough to be practical for use in the design of a OW~; and (2) generates a pseudo-random function from 2n bits to 2n bits given a pseudo-SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
random function from n bits to n bits. To compute pseudo-random function keys from input data, one may use any universal hash function which (a) has output length larger than the input length by enough margin to rule out two inputs having the same hash value with a good probability (over the choice of 5 hash function parameters) and (b) has the property that given an input and it~hash value, the hash value of another input remains largely unpredictable.
Herein is provided an efflcient universal hash function which is called the Finite Field Sub~et Sum (FFSS) h~qhing. Both FFSS h~qhine and the pseud~random function construction are of ~eparate and independent interest and have 10 applications beyond their use in the OW~ scheme. For example, the PRF
doubling c~ r.lr~lctiOn has imm~ te application to increasing the difficulty of attqrking existing hash functions like MD5, SHA, or pseud~random function~
like DES using birthday attacks or their gener~li7~tionc. For example, doubling the output length of 1~5 using the construction of the present invention from 15 128 bits to 256 bits increases the number of step~ needed for a birthday attack from 2~ to 2l28, as long as MD5 i9 sufflciently pseudo-random.
Broadly, in accordance with the present invention, output bits co~ ollding to a one-way hash function of input bits are iteratively generated.
Upon each iteration, a current ha~h function is produced. The methodology 20 utilizes a butterfly pseudo-random function generator, operative with a set of keys, and a finite field subset-sum generator arrangement. For each iteration, the following steps are effected: the input bits are partitioned into a new set of blocks and the new set of blocks are proc~e~l by the finite field subset-~um generator arrangement to produce a new set of keys. The new set of keys are 25 provided to the butterfly generator. Then, pseudo-random bits are generated.
The exclusive-OR of the pseud~random bits and the fed-back output of the butterfly generator is computed to produce a set of exclusively-ORed bits. The set of exclusively-ORed bits serve as the next input to be butter~y generator, 90 that the output of the butter~ly generator having the set of exclu~ively-ORed bits 30 as input is the current one-way hash function. Moreo~er, the output of the butterfly generator after all the input bits have been partitioned is the one-way hash function.
The se~ul;ly of the inventive ~ubject matter is linked to the 3e.,u~ily of any trusted block cypher. In spite of the fact that the underlying 35 block cypher has a fixed output size, e.g, 64 bits, the output size of the arrangement in accordance with the present invention is nomin~lly 128 bits. Thiscan be increased to 256 bits or more. Moreover, the ~cheme can withstand SUBSTITUTE SHEFT (RULE 26) CA 02237941 1998-0~
Herein is provided an efflcient universal hash function which is called the Finite Field Sub~et Sum (FFSS) h~qhing. Both FFSS h~qhine and the pseud~random function construction are of ~eparate and independent interest and have 10 applications beyond their use in the OW~ scheme. For example, the PRF
doubling c~ r.lr~lctiOn has imm~ te application to increasing the difficulty of attqrking existing hash functions like MD5, SHA, or pseud~random function~
like DES using birthday attacks or their gener~li7~tionc. For example, doubling the output length of 1~5 using the construction of the present invention from 15 128 bits to 256 bits increases the number of step~ needed for a birthday attack from 2~ to 2l28, as long as MD5 i9 sufflciently pseudo-random.
Broadly, in accordance with the present invention, output bits co~ ollding to a one-way hash function of input bits are iteratively generated.
Upon each iteration, a current ha~h function is produced. The methodology 20 utilizes a butterfly pseudo-random function generator, operative with a set of keys, and a finite field subset-sum generator arrangement. For each iteration, the following steps are effected: the input bits are partitioned into a new set of blocks and the new set of blocks are proc~e~l by the finite field subset-~um generator arrangement to produce a new set of keys. The new set of keys are 25 provided to the butterfly generator. Then, pseudo-random bits are generated.
The exclusive-OR of the pseud~random bits and the fed-back output of the butterfly generator is computed to produce a set of exclusively-ORed bits. The set of exclusively-ORed bits serve as the next input to be butter~y generator, 90 that the output of the butter~ly generator having the set of exclu~ively-ORed bits 30 as input is the current one-way hash function. Moreo~er, the output of the butterfly generator after all the input bits have been partitioned is the one-way hash function.
The se~ul;ly of the inventive ~ubject matter is linked to the 3e.,u~ily of any trusted block cypher. In spite of the fact that the underlying 35 block cypher has a fixed output size, e.g, 64 bits, the output size of the arrangement in accordance with the present invention is nomin~lly 128 bits. Thiscan be increased to 256 bits or more. Moreover, the ~cheme can withstand SUBSTITUTE SHEFT (RULE 26) CA 02237941 1998-0~
nbirthday ~ttsrk~" consistent with the output strings being uniformly random (e.g., collisions will be found after approYim~t~ly 2~4 evaluations when the output is 128 bits and after a~lv~;~n~t~y 2l28 evaluations when the output i~ 256 bits,etc.), as long as the underlying block cypher behaves as a s~fficiently secure S pseudo-random function. In addition to being robust sg~in~t birthday ~t~
ant its more ~o..~.ful gener-sliz~t;ons, the technique is also immune to differential cryptanalysis and linear cryptanalysis, the only other known general purpose ?ttqrk~ on hash functions.
The org~ni7st-;~n and operation of this invention will be understood 10 from a consideration of the detailed description of the illustrative embodiment, which follows, v~hen taken in con3unction with the accG~ anying drawing.
P.rief Oescr~tion of the Drawin~
FIG. 1 depicts an input stream of bits partitioned into blocks and super-blocks;
FIG. 2 depicts padding at the end of the input bit stream;
FIG. 3 is illustrative circuitry for FFSS h~hing in accordance with the present invention;
FIG. 4 is illustrative circuitry for the butter~y p~eudo-random generator in accordance with the present invention;
FIG. 5 depicts illustrative circuitry for efflcient cryptographic hash function generation obtained by combi~ing the circuitry of FIGS. 3 and 4; and FIG. 6 i9 a flow diagram illustratively of the methodology of the present invention.
I)etailed Description Function Theoretic Basis A mstl em~t;cal description of the building block components of the technique is presented in this section to introduce terminology and basic concepts. Illustrative implementations and ext~-lcion~ to the underlying building block cv~ Jo~lents are discussed in subsequent sections.
It is assumed from the outset that a block cypher from n bits to n bits is an initial given. Such a block cypher encoder may be realized via the Data Encryption Standard (DES), as published by the National Bureau of Standards, Department of Commerce, FIPS, pub 46, January, 1977. DES has a res~Qns~ly fast implementation and is commercially available; for example, 35 device type VM009 available from the VLSI Technology Inc. of Tempe, AZ
Sl~ l UTE SHEET (RULE 26) CA 02237941 1998-0~
ant its more ~o..~.ful gener-sliz~t;ons, the technique is also immune to differential cryptanalysis and linear cryptanalysis, the only other known general purpose ?ttqrk~ on hash functions.
The org~ni7st-;~n and operation of this invention will be understood 10 from a consideration of the detailed description of the illustrative embodiment, which follows, v~hen taken in con3unction with the accG~ anying drawing.
P.rief Oescr~tion of the Drawin~
FIG. 1 depicts an input stream of bits partitioned into blocks and super-blocks;
FIG. 2 depicts padding at the end of the input bit stream;
FIG. 3 is illustrative circuitry for FFSS h~hing in accordance with the present invention;
FIG. 4 is illustrative circuitry for the butter~y p~eudo-random generator in accordance with the present invention;
FIG. 5 depicts illustrative circuitry for efflcient cryptographic hash function generation obtained by combi~ing the circuitry of FIGS. 3 and 4; and FIG. 6 i9 a flow diagram illustratively of the methodology of the present invention.
I)etailed Description Function Theoretic Basis A mstl em~t;cal description of the building block components of the technique is presented in this section to introduce terminology and basic concepts. Illustrative implementations and ext~-lcion~ to the underlying building block cv~ Jo~lents are discussed in subsequent sections.
It is assumed from the outset that a block cypher from n bits to n bits is an initial given. Such a block cypher encoder may be realized via the Data Encryption Standard (DES), as published by the National Bureau of Standards, Department of Commerce, FIPS, pub 46, January, 1977. DES has a res~Qns~ly fast implementation and is commercially available; for example, 35 device type VM009 available from the VLSI Technology Inc. of Tempe, AZ
Sl~ l UTE SHEET (RULE 26) CA 02237941 1998-0~
5 PCT/US96tl7449 implements DES. A block cypher encoder takes as input a random key k and an input string x of size X to produce an output string of size X.
It is also assumed that a cryptographically strong pseudo-random generator (PRG) is a given; such a generator produces a sequence of pseudo-5 random bits. The cryptographically secure PRG is used to fill tables in a pre-processing step, as will be elucidated in detail below. Furthermore, the PRG will also be accessible during the proc~;.ing whenever pseudo-random bits are needed during the computation of the OW~. Generally, a key is used as a seed to the PRG. Thus, mPmher~ of the instant OW hash function family are indexed by a 10 key. Accordingly, all of the OWHF implementations below are thus parameterized by this seed, but for the sake of notational simplicity this parameter will remain implicit.
It i9 assumed that the incoming data, tA~re~ed in bits, is broken into blocks. For illustrative ~ ,oses, reference is made to FIG. 1, wherein block 15 ,Bl (reference numeral 101) is shown as being co~ .o~ed of b groupings d~ign~te(l - {cl(1), c2(1), .. , cb(1)}. Similarly, block ,B2 (reference numeral 102) i9 shown as being composed of b groupings d~ign~te l {cl(2), c2(2), ..., cb(2)}. As further depicted by illustrative group c1(1) (reference numeral 111), each group is comr<~e.l of m bits; for group cl(l), the m bits are shown illustratively as 20 ~0,1,1,0,,0,1}. Al80 it is assumed that the input data bit stream is padded 90 that it can be broken into blocks as needed. For instance, with reference to FIG.
2, block ,13~ (reference numeral 201) is shown as having the last three groups Cb_2(8)~ Cb_l(8)~ and cb(8) padded with zeros (nO"), that is, all m bits are zero for the group (see, for example, reference numeral 202).
Again with reference to FIG. 1, the initial portion of the input data bit stream i8 shown as being partitioned into eight blocks ~ 2, ~--J ,B8 called the initial partition (reference numeral 121). Another partition of the input bit stream can be effected on the next incoming bits to yield a second partition; this next partition is also composed of eight blocks (again called ~l~ 132, ~--, ~B8 30 without los~ of generality). The next incoming bits following this second partition can be subdivided into eight blocks to yield yet another next partition in termsof a time sequence. Thus the partitions eight blocks at a time -- form a sequence of partitions having an initial partition, followed by a next partition, then followed by yet another next partition, and 90 forth until the hash input is 35 exhausted. Groupings of eight blocks are referred to as "super-blocks" in thesequel, and the utility of super-blocks will be explained in detail then. It follows, for example, that the first super-block is composed of blocks ~ 32, ~--~ 8 of the SUBSTITUTE SHEET (RULE 26) initial partition 121. The hash input is co~osed of the input data concate-.~te~by some standard padding which makes the hash input length an integral multiple of the length of a super-block. For example, the input data can be conc~t~n~te~ with the input data length and the requisite additional blank 5 symbols.
With this introductory nomenclature defined, two basic building block components can be readily described.
Butterfly Pseudo-Random Function:
A butterfiy pseudo-random function (B-PRF) is pseudo-random function (PRF) 10 from 2n bits to 2n bits with key K. The B-PRF is implemented illustratively from eight PRF's from n bits to n bits wherein K is the conc~t~n~tion of eight keys each of length k. The ~PRF is denoted BK.
Finite Field Sub~et-sum (FF~S) ~ahir~g - FFSS h~ching is a hash function that randomly maps a block of data ,B (such as 1~ ,Bi, i=l, 2, ..., or 8 of FIG. 1) into a key of length k bits. The FFSS h~Yhing is denoted S(~), 90 k = S(~).
To generate the OW~, the following sequence of steps i~ carried out. The first step in generating the OWHF h takes the initial eight blocks of data ~B1J~2~ 38 (reference numerals 101-108 of FIG. 1) to 2n bits as follows.
20 First, eight keys are computed by applying S(~) to each block. The results are con~t~n~te~ to produce the key K for BK. Next a random input u of 2n bits for BK is supplied by the given PRG. The initial hash ~alue is then simply BK(U).
Symbolically, K = S(~1) ~ S(~2) ~ S(1~3) ~ S(I~1) ~ S(l36) S(13~) ~ S(l37) ~ S(~8)~ (1) 25 and U--PRG(.), u~{(0,1)}2n, (2) and finally h = BK(U). (3) Computing the hash ~alue for the first two super-blocks is done as follows. After 30 computing h from the first super-block as above, apply the FFSS hash to the SIJ~;~ JTE SHEET (RULE 26) CA 02237941 1998-0~
wo g7/186~2 7 PCT/US96/17449 second super-block of the data to generate a second key, K . Use the given PRG
to generate a second 2n-bit output u from the PRG. Now the hash value for the first and second super-blocks i8 h'--BK (h 6~ u ). (4) 5 where ~ stands for bitwise exclusive-OR. In general, if h is the value of the hash function of the first (i-1) super-blocks, then the value of the hash function of the first i super-blocks is given by the formula in e~uation (4), where K is the key generated by applying FFSS h~hing to the ith super-block and u is the ith 2n bit output of the given PRG.
Details of FFSS ~-~hin6 Init;Oli~O~
Let Ti, i=1, 2, ..., b be a binary table of size 2m rows and k columns. Then, for i=1, 2, ..., b, each table Ti is filled with pseudo-random bits in a pre-procF~ .g - step, that is, for i = 1,2,.. ,b, Ti-PRG(.). (5) FFSS h~.).ir~g:
Let a block of tata be denoted generically by ~j = cl(j),c2(j),...,cb(j) (see, for example, ~l (reference numeral 101) in FIG. 1). Let Ti~n] be the n-th row of thematrix Ti. Now the hash function S(~B}) co~ .onding to key k3 is given by:
S(~ Ti~Ci(i)] (6) where ~ stands for bitwise exclusive-OR with i ranging over 1, 2, ..., b.
Circuitry 300 is an illustrative embodiment of FFSS h~hing.
Tables 301, 302, ..., 303 are filled in a pre-p~oc~..illg step using a cryptographically strong PRG. Each table Ti has 2m rows and k columns. For 25 the preferred embodiment, m=8 (i.e., there are 2~6 rows) and k=768 columns.
To generate for a given super-block of eight blocks, each key kj, j=1, 2, ..., 8cGllc,~onding to each of the blocks in the super-block is produced as follows: (1) the bits collc~l~onding to group cl(j), on bus 311, are used to select a row from the first table 301, and the k bits in the table located in this row are output via 30 bus 321 and serve as one input to exclusive-OR gate 331; (2) the bits SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
cor~ )onding to group c2(j), on bus 312, are used to select a row from the second table 302, and the Ic bits in the table located in this row are output via bus 322 and serve as another input to exclusive-OR gate 331; and so forth until (3) the bits cG~ onding to group Cb(;), on bu~ 313, are used to select a row S from the b-th table 303, and the k bits in the table loc~te~l in this row are output ~ia bus 323 and ser~e as another input to exclusi~e-OR gate 331. The output of the gate 331, on bus 351, is k3. The key K i8 then the conc~tQ -~tion of the eight k3's as expressed by equation (1).
Details of the Butter~y Pseudo-Random Function To describe the butter~ly-PRG, that is, the function BK~ reference i~
made to circuitry 400 of FIG. 4. Circuitry 400 utilizes eight pseudo-random function generators G(1), G(2), ..., G(8) (reference numerals 401, 402, ..., 408, respectively), as follows. Initially, eight keys kj, j--1,2,...,8 (reference numerals - 421, 422, .. , 428, respecti~ely) are produced by FFSS h~qhin@ for a given super-- 15 block. The eight keys serve as keys to the pseud~random functions G(1), G(2), ..., G(8), respecti~rely. In addition, 2n random input bits, partitioned into a first and second sets of n bits, serve as inputs to circuitry 400 via buses 431 and 432, respectively. In terms of foregoing description, the 2n bits are generated from the PRG a~ per equation (2). The first input set i9 fed to the generators G(1) 20 and G(2), and the second input set is fed to the generators G(3) and G(4). A
first intermPtli~te set of n bits are generated in exclusive-OR gate 411 from the outputs of the generators G(1) and G(3), and a second intermediate set of n bitsare generated in exclusive-OR gate 412 from the outputs of the generators G(2) and G(4). The first intermetli~te set is then fed to the generators G(5) and G(6), 25 and the second interrne.ti~te set is then fed to the generators G(7) and G(8). The first n output bits for the given super-block are generated in the exclusive-OR
gate 413 from the outputs of the generators G(5) and G(7) and appear on bus 441, and the second n output bits for the given super-block are generated in theexclusi~ OR gate 414 from the outputs of the generators G(6) and G(8) and 30 appear on bus 442.
Colnbinin~ FFSS ~hinF ~nd Rutter~y Function The circuitry 500 of FIG. 5, which is illustrative of circuitry for the efflcient generation of a cryptographic hash function, is obtained by combining replicated versions of the FFSS circuitry of FIG. 3 with the butter~y circuitry of 35 FIG. 4 so as to effect equation (4). With reference to FIG. 5, there is shown an SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
arrangement of eight FFSS generators each l~l.r~nted by c;~cui~r~ 300 of FIG.
3; each FFSS generator 300 in FIG. 5 i~ shown in short-hand notation as a block PIe~1 S, which follows from k = S(,B) as previously described. The first FFSS
generator has ~uper-block ,~l as its input, the qecond FFSS generator has super-5 block ~2 as its input, and 90 forth 90 that the eighth FFSS generator has super-block 138 as its input. The eight outputs of the FFSS generator arrangement provide the new set of keys to the individual pseudo-random has generators G(l),G(2), ..., G(8) of butterfly 400 shown in FIG. 5, r~e. ti~ely.
With circuitry 500, the hash value h for the ith super-block is 10 formed as the conc~t~n~tjQn of the bits on buses 441 and 442; these bits are also provided on feed-back buses 541 and 542 of FIG. 5 to exclusive-OR circuits 511 and 512, respectively. The complete hash function of the input data stream is formed by ~roc~ -;..g each super-block (illustratively, ,B~ 2, ~--J 138) in sequence, and forming the exclusive-OR operation t~ ed by equation (4~ iteratively, 15 that is, as each hash value is produced. Thus, if h is the conc~t~~~tion of the n - bits on bus 441 and the n bits on bus 442 at the jth _ 1 iteration, then h, the hash function at the ith iteration, is formed by: feeding back the n bits on bus541 as a first input to exclu~ive-OR circuit 511 and providing the first n bits of u (the ith output of PRG 510) as the second input to circuit 511; feeding back the n 20 bits on bus 542 as a second input to exclusive-OR circuit 512 and providing the second n bits of u as the second input to circuit 512; and providing the n bits from circuits 511 and 512 to generators 401 and 404, respectively, via buses 431and 432~ for l~roc~,illg by butter~y arrangement 400. Of course, for the initialiteration, the fed back outputs provided on buses 541 and 542 to exclusive-OR
25 circuits 511 and 512 are 0'9, that is, the output of circuit 511 is equal to the first n bits of u and the output of circuit 512 is equal to the second n bits of u .
The ~ow diagram 600 Of FIG.6 is illustrative of the method-~ffecte-l by circuitry 500 of FIG. 5. I~litially, as depicted by ~roc~ g block 610, the FFSS generator arrangement obtained by replicating the FFSS generator 300 30 of FIG.3, and butter~y generator 400 are initialized; thus, for instance, thetables 301,302, ... are filled, and the fed-back output bits on busses 541 and 542 are set to zero. Next, as depicted by proce,.,illg block 620~ the input bit stream is partitioned into blocks of super-blocks, and the new blocks serve as sequential inputs to the FFSS generator arrangement to produce new keys during each 35 partitioning iteration. Then the new keys are provided to the butterfly generator, ;~ depicted by proc~ g block 630. Ploce3~;~g block 640 is invoked to generate pseudo-random bits via PRG 510. As depicted by processing block SlJ~;~ JTE SHEET (RULE 26) CA 02237941 1998-0~
650, the exclusive-OR of the pseudo-random bits and the fed-back output bits of the butterfly generator is formed by circuits 511 and 512; furthermore, as depicted by proc~- ;..g block 660, the results of the exclusive-OR serve as inputs to the butterily generator to obtain the current hash function h, that is, the 5 ha~h function at the ith iteration. If there are more input bits to be partitioned, as determined by procF ;-~g block 670, then proc~ g block 620 is again invoked. If the end of the input bit stream has been reached, then the last hashfunction generated equals the One-Way Hash Function of the input bit stream, as sho~vn by procP ~ g block 680.
('.~neralization~
In illustrative emho~lim~nt 400 used to generate BK~ DES is the underlying pseudo-random function on n=64 bits. However, the standard key extension algorithm, which stretches the 56 bit key into a 768 bit extended key (a 48 bit sub-key for each of the 16 rounds), is not deployed, but rather and an15 768 bit extended key is produced directly using the FFSS h~ching function S.
This improves the rate of operation by consuming a reasonable amount of data per call to DES and by avoiding the costly standard key-extension algorithm. As the extended key is not obtained from conc?t~n~ting many smaller sub-keys, the "meet-in-the middle birthday ?tt~ck~ll on the rounds in DES are avoided.
20 MG~:U~e~ the extended key algorithm constrains the adversary who ~ttq~k~ thisalgorithm to use as extended keys only those strings that are in the range of FFSS-h~hing. But since the range of FFS is random, it will not intersect with any small set of "bad" keys (e.g., weak or semi-weak) with high pro~a~ility.
Finally, the ~tt~k~ on DES with fully independent keys take nearly ~Yh~ tive 25 search in terms of time.
In BK~ G(1) through G(4) may be replaced by universal hash functions which ha~e the ~ro~c~l~ that an output remains unpredictable even if several other outputs are known. Similar comments apply for G(5) through G(8).
Just as with pseudo-random functions, to compute a universal hash function, a 30 key is needed and this is provided in the same way as the keys for the pseudo-random functions.
The inputs to BK need not be pseudo-random. They may be a deterministically generated sequence, e.g., the sequence of integers 1, 2, 3, ....
With respect to equation (4), it is noted that the u bits may all be 35 zero, in which case equation (4) reduces to a variant of block ~hS~;n;ng.
SUBSTITUTE C'~ l (RULE 26) CA 02237941 1998-0~
WO 97/18652 11 PCTIUS96n7449 Increasing the Hash Code Length:
Gi-lren a hash function H which has output value n bits (e.g., 128), a hash function of 2n bit outputs i9 obtained as follows. Instead of generating a key K using FFSS h~qhing, do the following. Run a strong random generator on 5 a random seed s to get Rl,R2,R3, . . . ,R8. From input blocks ~ 2~ 8 set the keys as follows: Kl = Rl ~ ~Bl,K2 = R2 . ~2,...,K8 = R8 ~ ,B8. Now define G(1), G(2), ..., G(8) to be H(Kl,*),H(K2,*),...,H(Kfi,*), that is, the evaluation of the random function G(1) with key Kl at a~ input x is replaced by that of H(Kl,x) and 90 on. The random seed may be sent along with the ha~h function 10 output if the application requires this step.
Alternately, one may modify BK 90 that the input data to be h~hed is fed as inputs, while Kl,...,KR may be replace by random numbers Rl,...,R8. Comments for generalizing the hash function generation apply as well for this case.
It is to be understood that the above-described embodiment i9 simply illu~trative of the principles in accordance with the present invention.
Other embodiments may be readily devised by those skilled in the art which may embody the principles in spirit and scope. Thus, it is to be further understood that the circuit arrangements described herein are not limited to the specific 20 forms shown by v~ay of illustration, but may assume other embodiments limited only by the scope of the appended claims.
SUBSTITUTE SHEET (RULE 26)
It is also assumed that a cryptographically strong pseudo-random generator (PRG) is a given; such a generator produces a sequence of pseudo-5 random bits. The cryptographically secure PRG is used to fill tables in a pre-processing step, as will be elucidated in detail below. Furthermore, the PRG will also be accessible during the proc~;.ing whenever pseudo-random bits are needed during the computation of the OW~. Generally, a key is used as a seed to the PRG. Thus, mPmher~ of the instant OW hash function family are indexed by a 10 key. Accordingly, all of the OWHF implementations below are thus parameterized by this seed, but for the sake of notational simplicity this parameter will remain implicit.
It i9 assumed that the incoming data, tA~re~ed in bits, is broken into blocks. For illustrative ~ ,oses, reference is made to FIG. 1, wherein block 15 ,Bl (reference numeral 101) is shown as being co~ .o~ed of b groupings d~ign~te(l - {cl(1), c2(1), .. , cb(1)}. Similarly, block ,B2 (reference numeral 102) i9 shown as being composed of b groupings d~ign~te l {cl(2), c2(2), ..., cb(2)}. As further depicted by illustrative group c1(1) (reference numeral 111), each group is comr<~e.l of m bits; for group cl(l), the m bits are shown illustratively as 20 ~0,1,1,0,,0,1}. Al80 it is assumed that the input data bit stream is padded 90 that it can be broken into blocks as needed. For instance, with reference to FIG.
2, block ,13~ (reference numeral 201) is shown as having the last three groups Cb_2(8)~ Cb_l(8)~ and cb(8) padded with zeros (nO"), that is, all m bits are zero for the group (see, for example, reference numeral 202).
Again with reference to FIG. 1, the initial portion of the input data bit stream i8 shown as being partitioned into eight blocks ~ 2, ~--J ,B8 called the initial partition (reference numeral 121). Another partition of the input bit stream can be effected on the next incoming bits to yield a second partition; this next partition is also composed of eight blocks (again called ~l~ 132, ~--, ~B8 30 without los~ of generality). The next incoming bits following this second partition can be subdivided into eight blocks to yield yet another next partition in termsof a time sequence. Thus the partitions eight blocks at a time -- form a sequence of partitions having an initial partition, followed by a next partition, then followed by yet another next partition, and 90 forth until the hash input is 35 exhausted. Groupings of eight blocks are referred to as "super-blocks" in thesequel, and the utility of super-blocks will be explained in detail then. It follows, for example, that the first super-block is composed of blocks ~ 32, ~--~ 8 of the SUBSTITUTE SHEET (RULE 26) initial partition 121. The hash input is co~osed of the input data concate-.~te~by some standard padding which makes the hash input length an integral multiple of the length of a super-block. For example, the input data can be conc~t~n~te~ with the input data length and the requisite additional blank 5 symbols.
With this introductory nomenclature defined, two basic building block components can be readily described.
Butterfly Pseudo-Random Function:
A butterfiy pseudo-random function (B-PRF) is pseudo-random function (PRF) 10 from 2n bits to 2n bits with key K. The B-PRF is implemented illustratively from eight PRF's from n bits to n bits wherein K is the conc~t~n~tion of eight keys each of length k. The ~PRF is denoted BK.
Finite Field Sub~et-sum (FF~S) ~ahir~g - FFSS h~ching is a hash function that randomly maps a block of data ,B (such as 1~ ,Bi, i=l, 2, ..., or 8 of FIG. 1) into a key of length k bits. The FFSS h~Yhing is denoted S(~), 90 k = S(~).
To generate the OW~, the following sequence of steps i~ carried out. The first step in generating the OWHF h takes the initial eight blocks of data ~B1J~2~ 38 (reference numerals 101-108 of FIG. 1) to 2n bits as follows.
20 First, eight keys are computed by applying S(~) to each block. The results are con~t~n~te~ to produce the key K for BK. Next a random input u of 2n bits for BK is supplied by the given PRG. The initial hash ~alue is then simply BK(U).
Symbolically, K = S(~1) ~ S(~2) ~ S(1~3) ~ S(I~1) ~ S(l36) S(13~) ~ S(l37) ~ S(~8)~ (1) 25 and U--PRG(.), u~{(0,1)}2n, (2) and finally h = BK(U). (3) Computing the hash ~alue for the first two super-blocks is done as follows. After 30 computing h from the first super-block as above, apply the FFSS hash to the SIJ~;~ JTE SHEET (RULE 26) CA 02237941 1998-0~
wo g7/186~2 7 PCT/US96/17449 second super-block of the data to generate a second key, K . Use the given PRG
to generate a second 2n-bit output u from the PRG. Now the hash value for the first and second super-blocks i8 h'--BK (h 6~ u ). (4) 5 where ~ stands for bitwise exclusive-OR. In general, if h is the value of the hash function of the first (i-1) super-blocks, then the value of the hash function of the first i super-blocks is given by the formula in e~uation (4), where K is the key generated by applying FFSS h~hing to the ith super-block and u is the ith 2n bit output of the given PRG.
Details of FFSS ~-~hin6 Init;Oli~O~
Let Ti, i=1, 2, ..., b be a binary table of size 2m rows and k columns. Then, for i=1, 2, ..., b, each table Ti is filled with pseudo-random bits in a pre-procF~ .g - step, that is, for i = 1,2,.. ,b, Ti-PRG(.). (5) FFSS h~.).ir~g:
Let a block of tata be denoted generically by ~j = cl(j),c2(j),...,cb(j) (see, for example, ~l (reference numeral 101) in FIG. 1). Let Ti~n] be the n-th row of thematrix Ti. Now the hash function S(~B}) co~ .onding to key k3 is given by:
S(~ Ti~Ci(i)] (6) where ~ stands for bitwise exclusive-OR with i ranging over 1, 2, ..., b.
Circuitry 300 is an illustrative embodiment of FFSS h~hing.
Tables 301, 302, ..., 303 are filled in a pre-p~oc~..illg step using a cryptographically strong PRG. Each table Ti has 2m rows and k columns. For 25 the preferred embodiment, m=8 (i.e., there are 2~6 rows) and k=768 columns.
To generate for a given super-block of eight blocks, each key kj, j=1, 2, ..., 8cGllc,~onding to each of the blocks in the super-block is produced as follows: (1) the bits collc~l~onding to group cl(j), on bus 311, are used to select a row from the first table 301, and the k bits in the table located in this row are output via 30 bus 321 and serve as one input to exclusive-OR gate 331; (2) the bits SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
cor~ )onding to group c2(j), on bus 312, are used to select a row from the second table 302, and the Ic bits in the table located in this row are output via bus 322 and serve as another input to exclusive-OR gate 331; and so forth until (3) the bits cG~ onding to group Cb(;), on bu~ 313, are used to select a row S from the b-th table 303, and the k bits in the table loc~te~l in this row are output ~ia bus 323 and ser~e as another input to exclusi~e-OR gate 331. The output of the gate 331, on bus 351, is k3. The key K i8 then the conc~tQ -~tion of the eight k3's as expressed by equation (1).
Details of the Butter~y Pseudo-Random Function To describe the butter~ly-PRG, that is, the function BK~ reference i~
made to circuitry 400 of FIG. 4. Circuitry 400 utilizes eight pseudo-random function generators G(1), G(2), ..., G(8) (reference numerals 401, 402, ..., 408, respectively), as follows. Initially, eight keys kj, j--1,2,...,8 (reference numerals - 421, 422, .. , 428, respecti~ely) are produced by FFSS h~qhin@ for a given super-- 15 block. The eight keys serve as keys to the pseud~random functions G(1), G(2), ..., G(8), respecti~rely. In addition, 2n random input bits, partitioned into a first and second sets of n bits, serve as inputs to circuitry 400 via buses 431 and 432, respectively. In terms of foregoing description, the 2n bits are generated from the PRG a~ per equation (2). The first input set i9 fed to the generators G(1) 20 and G(2), and the second input set is fed to the generators G(3) and G(4). A
first intermPtli~te set of n bits are generated in exclusive-OR gate 411 from the outputs of the generators G(1) and G(3), and a second intermediate set of n bitsare generated in exclusive-OR gate 412 from the outputs of the generators G(2) and G(4). The first intermetli~te set is then fed to the generators G(5) and G(6), 25 and the second interrne.ti~te set is then fed to the generators G(7) and G(8). The first n output bits for the given super-block are generated in the exclusive-OR
gate 413 from the outputs of the generators G(5) and G(7) and appear on bus 441, and the second n output bits for the given super-block are generated in theexclusi~ OR gate 414 from the outputs of the generators G(6) and G(8) and 30 appear on bus 442.
Colnbinin~ FFSS ~hinF ~nd Rutter~y Function The circuitry 500 of FIG. 5, which is illustrative of circuitry for the efflcient generation of a cryptographic hash function, is obtained by combining replicated versions of the FFSS circuitry of FIG. 3 with the butter~y circuitry of 35 FIG. 4 so as to effect equation (4). With reference to FIG. 5, there is shown an SUBSTITUTE SHEET (RULE 26) CA 02237941 1998-0~
arrangement of eight FFSS generators each l~l.r~nted by c;~cui~r~ 300 of FIG.
3; each FFSS generator 300 in FIG. 5 i~ shown in short-hand notation as a block PIe~1 S, which follows from k = S(,B) as previously described. The first FFSS
generator has ~uper-block ,~l as its input, the qecond FFSS generator has super-5 block ~2 as its input, and 90 forth 90 that the eighth FFSS generator has super-block 138 as its input. The eight outputs of the FFSS generator arrangement provide the new set of keys to the individual pseudo-random has generators G(l),G(2), ..., G(8) of butterfly 400 shown in FIG. 5, r~e. ti~ely.
With circuitry 500, the hash value h for the ith super-block is 10 formed as the conc~t~n~tjQn of the bits on buses 441 and 442; these bits are also provided on feed-back buses 541 and 542 of FIG. 5 to exclusive-OR circuits 511 and 512, respectively. The complete hash function of the input data stream is formed by ~roc~ -;..g each super-block (illustratively, ,B~ 2, ~--J 138) in sequence, and forming the exclusive-OR operation t~ ed by equation (4~ iteratively, 15 that is, as each hash value is produced. Thus, if h is the conc~t~~~tion of the n - bits on bus 441 and the n bits on bus 442 at the jth _ 1 iteration, then h, the hash function at the ith iteration, is formed by: feeding back the n bits on bus541 as a first input to exclu~ive-OR circuit 511 and providing the first n bits of u (the ith output of PRG 510) as the second input to circuit 511; feeding back the n 20 bits on bus 542 as a second input to exclusive-OR circuit 512 and providing the second n bits of u as the second input to circuit 512; and providing the n bits from circuits 511 and 512 to generators 401 and 404, respectively, via buses 431and 432~ for l~roc~,illg by butter~y arrangement 400. Of course, for the initialiteration, the fed back outputs provided on buses 541 and 542 to exclusive-OR
25 circuits 511 and 512 are 0'9, that is, the output of circuit 511 is equal to the first n bits of u and the output of circuit 512 is equal to the second n bits of u .
The ~ow diagram 600 Of FIG.6 is illustrative of the method-~ffecte-l by circuitry 500 of FIG. 5. I~litially, as depicted by ~roc~ g block 610, the FFSS generator arrangement obtained by replicating the FFSS generator 300 30 of FIG.3, and butter~y generator 400 are initialized; thus, for instance, thetables 301,302, ... are filled, and the fed-back output bits on busses 541 and 542 are set to zero. Next, as depicted by proce,.,illg block 620~ the input bit stream is partitioned into blocks of super-blocks, and the new blocks serve as sequential inputs to the FFSS generator arrangement to produce new keys during each 35 partitioning iteration. Then the new keys are provided to the butterfly generator, ;~ depicted by proc~ g block 630. Ploce3~;~g block 640 is invoked to generate pseudo-random bits via PRG 510. As depicted by processing block SlJ~;~ JTE SHEET (RULE 26) CA 02237941 1998-0~
650, the exclusive-OR of the pseudo-random bits and the fed-back output bits of the butterfly generator is formed by circuits 511 and 512; furthermore, as depicted by proc~- ;..g block 660, the results of the exclusive-OR serve as inputs to the butterily generator to obtain the current hash function h, that is, the 5 ha~h function at the ith iteration. If there are more input bits to be partitioned, as determined by procF ;-~g block 670, then proc~ g block 620 is again invoked. If the end of the input bit stream has been reached, then the last hashfunction generated equals the One-Way Hash Function of the input bit stream, as sho~vn by procP ~ g block 680.
('.~neralization~
In illustrative emho~lim~nt 400 used to generate BK~ DES is the underlying pseudo-random function on n=64 bits. However, the standard key extension algorithm, which stretches the 56 bit key into a 768 bit extended key (a 48 bit sub-key for each of the 16 rounds), is not deployed, but rather and an15 768 bit extended key is produced directly using the FFSS h~ching function S.
This improves the rate of operation by consuming a reasonable amount of data per call to DES and by avoiding the costly standard key-extension algorithm. As the extended key is not obtained from conc?t~n~ting many smaller sub-keys, the "meet-in-the middle birthday ?tt~ck~ll on the rounds in DES are avoided.
20 MG~:U~e~ the extended key algorithm constrains the adversary who ~ttq~k~ thisalgorithm to use as extended keys only those strings that are in the range of FFSS-h~hing. But since the range of FFS is random, it will not intersect with any small set of "bad" keys (e.g., weak or semi-weak) with high pro~a~ility.
Finally, the ~tt~k~ on DES with fully independent keys take nearly ~Yh~ tive 25 search in terms of time.
In BK~ G(1) through G(4) may be replaced by universal hash functions which ha~e the ~ro~c~l~ that an output remains unpredictable even if several other outputs are known. Similar comments apply for G(5) through G(8).
Just as with pseudo-random functions, to compute a universal hash function, a 30 key is needed and this is provided in the same way as the keys for the pseudo-random functions.
The inputs to BK need not be pseudo-random. They may be a deterministically generated sequence, e.g., the sequence of integers 1, 2, 3, ....
With respect to equation (4), it is noted that the u bits may all be 35 zero, in which case equation (4) reduces to a variant of block ~hS~;n;ng.
SUBSTITUTE C'~ l (RULE 26) CA 02237941 1998-0~
WO 97/18652 11 PCTIUS96n7449 Increasing the Hash Code Length:
Gi-lren a hash function H which has output value n bits (e.g., 128), a hash function of 2n bit outputs i9 obtained as follows. Instead of generating a key K using FFSS h~qhing, do the following. Run a strong random generator on 5 a random seed s to get Rl,R2,R3, . . . ,R8. From input blocks ~ 2~ 8 set the keys as follows: Kl = Rl ~ ~Bl,K2 = R2 . ~2,...,K8 = R8 ~ ,B8. Now define G(1), G(2), ..., G(8) to be H(Kl,*),H(K2,*),...,H(Kfi,*), that is, the evaluation of the random function G(1) with key Kl at a~ input x is replaced by that of H(Kl,x) and 90 on. The random seed may be sent along with the ha~h function 10 output if the application requires this step.
Alternately, one may modify BK 90 that the input data to be h~hed is fed as inputs, while Kl,...,KR may be replace by random numbers Rl,...,R8. Comments for generalizing the hash function generation apply as well for this case.
It is to be understood that the above-described embodiment i9 simply illu~trative of the principles in accordance with the present invention.
Other embodiments may be readily devised by those skilled in the art which may embody the principles in spirit and scope. Thus, it is to be further understood that the circuit arrangements described herein are not limited to the specific 20 forms shown by v~ay of illustration, but may assume other embodiments limited only by the scope of the appended claims.
SUBSTITUTE SHEET (RULE 26)
Claims (13)
1. A method for iteratively generating output bits corresponding to a cryptographic hash function of input bits, the method producing at each iteration a current hash function, the method utilizing a butterfly generator responsive to a set of keys, and a universal hash function generator arrangement to generate the set of keys, the method, for each iteration, comprising the steps of (a) partitioning the input bits into a new set of blocks and processing the new set of blocks with the universal hash function generator arrangement to produce a new set of keys, (b) inputing the new set of keys to the butterfly generator, (c) generating a set of bits, (d) generating the exclusive-OR of the set of bits and the fed-back output of the butterfly generator to produce a set of exclusively-ORed bits, an (e) processing the set of exclusively-ORed bits by butterfly generator, wherein the output of the butterfly generator having the set of exclusively-ORed bits as input is the current hash function, and wherein the output of the butterfly generator upon the processing of all input bits is the cryptographic hash function.
2. The method as recited in claim 1 wherein the processing by the butterfly generator generates 2n outgoing bits from 2n incoming bits partitioned into a first incoming set of n bits and a second incoming set of n bits, the butterfly generator utilizing eight n-bit pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key, of length k, obtained from a corresponding one of the new set of keys, the method further comprising the steps of identifying the 2n incoming bits with the exclusively-ORed bits, inputing the first incoming set to the generators G(1) and G(2), inputing the second incoming set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(S) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n outgoing bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n outgoing bits as the exclusive-OR of the outputs of the generators G(6) and G(8), wherein the 2n outgoing bits equate to the current hash function.
3. The method as recited in claim 1 wherein the processing by the butterfly generator generates 2n outgoing bits from 2n incoming bits partitioned into a first incoming set of n bits and a second incoming set of n bits, the butterfly generator utilizing eight n-bit universal hash function or pseudo-random function generators G(1), G(2), ..., G(8), each of thegenerators having a corresponding input key, of length k, obtained from a corresponding one of the new set of keys, the method further comprising the steps of identifying the 2n incoming bits with the exclusively-ORed bits, inputing the first incoming set to the generators G(1) and G(2), inputing the second incoming set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(5) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n outgoing bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n outgoing bits as the exclusive-OR of the outputs of the generators G(6) and G(8), wherein the 2n outgoing bits equate to the current hash function.
4. The method as recited in claim 1 wherein the universal hash function generator arrangement is a finite field subset-sum generator arrangement and wherein the step of processing by the universal hash function generator arrangement includes the step of processing by the finite field subset-sum generator arrangement to generate the set of keys identified by k1, k2, ..., k8, each of length k, the finite field subset-sum generator arrangement being composed of a eight finite field subset-sum generators, each of the generators utilizing b random bit tables Tl, T2, ..., Tb with each table having 2m rows and k columns, and wherein the step of partitioning includes the step of partitioning the input bits into eight blocks of 8mb bits to produce the new blocks, the eight blocks being designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) such that {c1(1), c2(1), ..., cb(l)} corresponds to .beta.l, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.l, ..., and {c1(8), c2(8), ..., cb(8)} corresponds to .beta.8, and wherein the step of processing by the universal hash function generator arrangement includes the steps, for each j, j=1,2,...,8, of selecting a row fromeach table Tl in correspondence to each group ci(j), i=1, 2, ..., b, and of evaluating the bitwise exclusive-OR of said b selected rows to generate the corresponding key kj.
5. A method for iteratively generating output bits corresponding to a cryptographic hash function of input bits, the method producing at each iteration a current hash function, the method utilizing a butterfly generator responsive to a set of keys, and a universal hash function generator arrangement to generate the set of keys, the method comprising the steps of (a) partitioning the input bits into a new set of blocks and processing the new set of blocks with the universal hash function generator arrangement to produce a new set of keys, (b) inputing the new set of keys to the butterfly generator, (c) generating a set of bits, (d) generating the exclusive-OR of the set of bits and the fed-back output of the butterfly generator to produce a set of exclusively-ORed bits, and (e) processing the set of exclusively-ORed bits by butterfly generator, and (f) if more input bits remain to be partitioned, returning to step (a);
otherwise, equating the cryptographic hash function of the input bits to the current hash function.
otherwise, equating the cryptographic hash function of the input bits to the current hash function.
6. The method as recited in claim 5 wherein the processing by the butterfly generator generates 2n outgoing bits from 2n incoming bits partitioned into a first incoming set of n bits and a second incoming set of n bits, the butterfly generator utilizing eight n-bit pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key, of length k, obtained from a corresponding one of the new set of keys, the method further comprising the steps of identifying the 2n incoming bits with the exclusively-ORed bits, inputing the first incoming set to the generators G(1) and G(2), including the second incoming set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(5) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n outgoing bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n outgoing bits as the exclusive-OR of the outputs of the generators G(6) and G(8), wherein the 2n outgoing bits equate to the current hash function.
7. The method as recited in claim 5 wherein the processing by the butterfly generator generates 2n outgoing bits from 2n incoming bits partitioned into a first incoming set of n bits and a second incoming set of n bits, the butterfly generator utilizing eight n-bit universal hash function or pseudo-random function generators G(1), G(2), ..., G(8), each of thegenerators having a corresponding input key, of length k, obtained from a corresponding one of the new set of keys, the method further comprising the steps of identifying the 2n incoming bits with the exclusively-ORed bits, inputing the first incoming set to the generators G(l) and G(2), inputing the second incoming set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(5) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n outgoing bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n outgoing bits as the exclusive-OR of the outputs of the generators G(6) and G(8), wherein the 2n outgoing bits equate to the current hash function.
8. The method as recited in claim 5 wherein the universal hash function generator arrangement is a finite field subset-sum generator arrangement and wherein the step of processing by the universal hash function generator arrangement includes the step of processing by the finite field subsetsum generator arrangement to generate the set of keys identified by k1, k2, ..., k8, each of length k, the finite field subset-sum generator arrangement being composed of a eight finite field subset-sum generators, each of the generators utilizing b random bit tables T1, T2, ..., Tb with each table having 2m rows and k columns, and wherein the step of partitioning includes the step of partitioning the input bits into eight blocks of 8mb bits to produce the new blocks, the eight blocks being designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) such that {c1(1), c2(1), ..., cb(1)} corresponds to .beta.1, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.1, and {c1(8), c2(8), ..., cb(8)} corresponds to .beta.8, and wherein the step of processing by the universal hash function generator arrangement includes the steps, for each j, j=1,2,...,8, of selecting a row fromeach table Ti in correspondence to each group ci(j), i=1, 2, ..., b, and of evaluating the bitwise exclusive-OR of said b selected rows to generate the corresponding key kj.
9. A method for generating output bits corresponding to a cryptographic hash function of input bits, the method utilizing eight n-bit pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key k1, k2, ..., k8 of length k, the method furtherutilizing b random bit tables T1, T2, ..., Tb with each table having 2m rows and k columns, the method comprising the steps of (a) partitioning the initial 8mb bits of the input bits into eight blocks, designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) as the current input groups such that {C1(1), c2(1), ..., cb(1)} corresponds to .beta.1, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.1, ..., and {c1(8), c2(8), ..., cb(8)}
corresponds to .beta.8, and proceeding to step (c), (b) partitioning the next 8mb bits of the input bits into eight blocks, designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) as the current input groups wherein {c1(1), c2(1), ..., cb(1)} corresponds to .beta.1, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.1, ..., and {c1(8), c2(8), ..., cb(8)}
corresponds to .beta.8, (c) for each j, j=1,2,...,8, selecting a row from each table Ti in correspondence to each current group ci(j), i=1, 2, ..., b, and evaluating the bitwise exclusive-OR of said b selected rows to generate a corresponding key kj,(d) generating 2n pseudo-random bits partitioned into a first pseudo-random set of n bits and a second pseudo-random set of n bits, (e) inputing the first pseudo-random set and the respective keys k1 and k2 to the generators G(1) and G(2), (f) inputing the second pseudo-random set and the respective keys k3 and k4 to the generators G(3) and G(4), (g) generating a first intermediate set of n bits as the bitwise exclusive-OR
of the outputs of the generators G(1) and G(3), (h) generating a second intermediate set of n bits as the bitwise exclusive-OR of the outputs of the generators G(2) and G(4), (i) inputing the first intermediate set and the respective keys k5; and k6 to the generators G(5) and G(6), (j) inputing the second intermediate set and the respective keys k7 and k8 to the generators G(7) and G(8), (k) generating the first n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(5) and G(7), (l) generating the second n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(6) and G(8), (m) forming the output bits corresponding to the cryptographic hash function as the bitwise exclusive-OR of the current output bits generated sequentially by steps (k) and (l), and (n) returning to step (b) if more input bits can be partitioned.
corresponds to .beta.8, and proceeding to step (c), (b) partitioning the next 8mb bits of the input bits into eight blocks, designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) as the current input groups wherein {c1(1), c2(1), ..., cb(1)} corresponds to .beta.1, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.1, ..., and {c1(8), c2(8), ..., cb(8)}
corresponds to .beta.8, (c) for each j, j=1,2,...,8, selecting a row from each table Ti in correspondence to each current group ci(j), i=1, 2, ..., b, and evaluating the bitwise exclusive-OR of said b selected rows to generate a corresponding key kj,(d) generating 2n pseudo-random bits partitioned into a first pseudo-random set of n bits and a second pseudo-random set of n bits, (e) inputing the first pseudo-random set and the respective keys k1 and k2 to the generators G(1) and G(2), (f) inputing the second pseudo-random set and the respective keys k3 and k4 to the generators G(3) and G(4), (g) generating a first intermediate set of n bits as the bitwise exclusive-OR
of the outputs of the generators G(1) and G(3), (h) generating a second intermediate set of n bits as the bitwise exclusive-OR of the outputs of the generators G(2) and G(4), (i) inputing the first intermediate set and the respective keys k5; and k6 to the generators G(5) and G(6), (j) inputing the second intermediate set and the respective keys k7 and k8 to the generators G(7) and G(8), (k) generating the first n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(5) and G(7), (l) generating the second n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(6) and G(8), (m) forming the output bits corresponding to the cryptographic hash function as the bitwise exclusive-OR of the current output bits generated sequentially by steps (k) and (l), and (n) returning to step (b) if more input bits can be partitioned.
10. A method for generating 2n output bits from 2n input bits partitioned into a first input set of n bits and a second input set of n bits, the method utilizing eight n-bit pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key of length k, the method comprising the steps of inputing the first input set to the generators G(1) and G(2), inputing the second input set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(5) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n output bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n output bits as the exclusive-OR of the outputs of the generators G(6) and G(8).
11. A method for generating 2n output bits from 2n input bits partitioned into a first input set of n bits and a second input set of n bits, the method utilizing eight n-bit universal hash function or pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key of length k, the method comprising the steps of inputing the first input set to the generators G(1) and G(2), inputing the second input set to the generators G(3) and G(4), generating a first intermediate set of n bits as the exclusive-OR of the outputs of the generators G(1) and G(3), generating a second intermediate set of n bits as the exclusive-OR of the outputs of the generators G(2) and G(4), inputing the first intermediate set to the generators G(5) and G(6), inputing the second intermediate set to the generators G(7) and G(8), generating the first n output bits as the exclusive-OR of the outputs of the generators G(5) and G(7), and generating the second n output bits as the exclusive-OR of the outputs of the generators G(6) and G(8).
12. A method for generating a key of length k from mb input bits, the method defining a finite field subset-sum generator, the method comprising the steps of generating b random bit tables T1, T2, ..., Tb with each table having 2m.
rows and k columns, arranging the mb input bits as b m-bit groups designated ci, i=1, 2, ..., b, selecting a row from each table Ti in correspondence to each group ci, i=l, 2, ..., b, and evaluating the bitwise exclusive-OR of said b selected rows to generate the key.
rows and k columns, arranging the mb input bits as b m-bit groups designated ci, i=1, 2, ..., b, selecting a row from each table Ti in correspondence to each group ci, i=l, 2, ..., b, and evaluating the bitwise exclusive-OR of said b selected rows to generate the key.
13. Circuitry for generating output bits corresponding to a cryptographic hash function of input bits, the circuitry utilizing eight n-bit pseudo-random function generators G(1), G(2), ..., G(8), each of the generators having a corresponding input key k1, k2, ..., k8 of length k, the circuitry further utilizing b random bit tables T1, T2, ..., Tb with each table having 2m rows and k columns, the circuitry comprising (a) means, responsive to the input bits, for partitioning the initial 8mb bits of the input bits into eight blocks, designated .beta.l, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) as the current input groups such that {c1(1), C2(1), ..., Cb(l)} correspondsto .beta.1, {c1(2), C2(2), ..., Cb(2)} corresponds to .beta.1, ..., and {c1(8), c2(8), ..., cb(8)} corresponds to .beta.8, and proceeding to step (c), (b) means, responsive to the input bits, for partitioning the next 8mb bits of the input bits into eight blocks, designated .beta.1, .beta.2, ..., .beta.8, with each of the blocks having b m-bit groups ci(j) as the current input groups wherein {c1(1), C2(1), ..., cb(l)} corresponds to .beta.1, {c1(2), c2(2), ..., cb(2)} corresponds to .beta.l, ..., and {c1(8), c2(8), ..., cb(8)} corresponds to .beta.8, (c) means, responsive to each means for partitioning for selecting for each j, j=1,2,...,8, a row from each table Ti in corresondence to each current group ci(j), i=1, 2, ..., b, and for evaluating the bitwise exclusive-OR of said b selected rows to generate a corresponding key kj, (d) means, responsive to the means for generating and for evaluating, for generating 2n pseudo-random bits partitioned into a first pseudo-random set of nbits and a second pseudo-random set of n bits, (e) means for inputing the first pseudo-random set and the respective keys k1 and k2 to the generators G(1) and G(2), (f) means for inputing the second pseudo-random set and the respective keys k3 and k4 to the generators G(3) and G(4), (g) means for generating a first intermediate set of n bits as the bitwise exclusive-OR of the outputs of the generators G(1) and G(3), (h) means for generating a second intermediate set of n bits as the bitwise exclusive-OR of the outputs of the generators G(2) and G(4), (i) means for inputing the first intermediate set and the respective keys k5 and k6 to the generators G(5) and G(6), (j) means for inputing the second intermediate set and the respective keys k7 and k8 to the generators G(7) and G(8), (k) means for generating the first n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(5) and G(7), (l) means for generating the second n bits of the current output bits as the bitwise exclusive-OR of the outputs of the generators G(6) and G(8), (m) means for forming the output bits corresponding to the hash function as the bitwise exclusive-OR of the current output bits generated sequentially bysteps (k) and (l), and (n) means for returning to step (b) if more input bits can be partitioned.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US08/559,213 | 1995-11-16 | ||
US08/559,213 US5608801A (en) | 1995-11-16 | 1995-11-16 | Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions |
PCT/US1996/017449 WO1997018652A1 (en) | 1995-11-16 | 1996-10-31 | Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2237941A1 CA2237941A1 (en) | 1997-05-22 |
CA2237941C true CA2237941C (en) | 2001-02-27 |
Family
ID=24232739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002237941A Expired - Fee Related CA2237941C (en) | 1995-11-16 | 1996-10-31 | Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions |
Country Status (5)
Country | Link |
---|---|
US (1) | US5608801A (en) |
EP (1) | EP0861539A4 (en) |
JP (1) | JP3187843B2 (en) |
CA (1) | CA2237941C (en) |
WO (1) | WO1997018652A1 (en) |
Families Citing this family (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5727063A (en) * | 1995-11-27 | 1998-03-10 | Bell Communications Research, Inc. | Pseudo-random generator |
US5754659A (en) * | 1995-12-22 | 1998-05-19 | General Instrument Corporation Of Delaware | Generation of cryptographic signatures using hash keys |
GB9601924D0 (en) * | 1996-01-31 | 1996-04-03 | Certicom Corp | Transaction verification protocol for smart cards |
US5822737A (en) * | 1996-02-05 | 1998-10-13 | Ogram; Mark E. | Financial transaction system |
US5778069A (en) * | 1996-04-10 | 1998-07-07 | Microsoft Corporation | Non-biased pseudo random number generator |
GB9621274D0 (en) * | 1996-10-11 | 1996-11-27 | Certicom Corp | Signature protocol for mail delivery |
US5949884A (en) * | 1996-11-07 | 1999-09-07 | Entrust Technologies, Ltd. | Design principles of the shade cipher |
US5943248A (en) * | 1997-01-17 | 1999-08-24 | Picturetel Corporation | w-bit non-linear combiner for pseudo-random number generation |
US5983252A (en) * | 1997-01-17 | 1999-11-09 | Picturetel Corporation | Pseudo-random number generator capable of efficiently exploiting processors having instruction-level parallelism and the use thereof for encryption |
US6081893A (en) * | 1997-05-28 | 2000-06-27 | Symantec Corporation | System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record |
US7096192B1 (en) | 1997-07-28 | 2006-08-22 | Cybersource Corporation | Method and system for detecting fraud in a credit card transaction over a computer network |
US7403922B1 (en) * | 1997-07-28 | 2008-07-22 | Cybersource Corporation | Method and apparatus for evaluating fraud risk in an electronic commerce transaction |
US5919257A (en) * | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US6373948B1 (en) * | 1997-08-15 | 2002-04-16 | Lucent Technologies Inc. | Cryptographic method and apparatus for restricting access to transmitted programming content using program identifiers |
GB2329096A (en) * | 1997-08-29 | 1999-03-10 | Ncipher Limited | Creating sub-keys from hashed cryptographic master key |
JP3092567B2 (en) * | 1997-10-31 | 2000-09-25 | 日本電気株式会社 | Method and apparatus for generating encryption key |
US6151676A (en) * | 1997-12-24 | 2000-11-21 | Philips Electronics North America Corporation | Administration and utilization of secret fresh random numbers in a networked environment |
US6091821A (en) * | 1998-02-12 | 2000-07-18 | Vlsi Technology, Inc. | Pipelined hardware implementation of a hashing algorithm |
US5974144A (en) * | 1998-02-25 | 1999-10-26 | Cipheractive Ltd. | System for encryption of partitioned data blocks utilizing public key methods and random numbers |
US6504941B2 (en) * | 1998-04-30 | 2003-01-07 | Hewlett-Packard Company | Method and apparatus for digital watermarking of images |
US6275919B1 (en) * | 1998-10-15 | 2001-08-14 | Creative Technology Ltd. | Memory storage and retrieval with multiple hashing functions |
US6735313B1 (en) | 1999-05-07 | 2004-05-11 | Lucent Technologies Inc. | Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers |
US6826687B1 (en) * | 1999-05-07 | 2004-11-30 | International Business Machines Corporation | Commitments in signatures |
US6701434B1 (en) * | 1999-05-07 | 2004-03-02 | International Business Machines Corporation | Efficient hybrid public key signature scheme |
US7509420B2 (en) * | 2000-02-18 | 2009-03-24 | Emc Corporation | System and method for intelligent, globally distributed network storage |
FR2810481B1 (en) * | 2000-06-20 | 2003-04-04 | Gemplus Card Int | CONTROL OF ACCESS TO A DATA PROCESSING MEANS |
GB2364404B (en) * | 2000-07-01 | 2002-10-02 | Marconi Comm Ltd | Method of detecting malicious code |
US20020032551A1 (en) * | 2000-08-07 | 2002-03-14 | Jabari Zakiya | Systems and methods for implementing hash algorithms |
JP2002132148A (en) * | 2000-10-26 | 2002-05-09 | Sangikyou:Kk | Compression method for digital signature |
US6810398B2 (en) * | 2000-11-06 | 2004-10-26 | Avamar Technologies, Inc. | System and method for unorchestrated determination of data sequences using sticky byte factoring to determine breakpoints in digital sequences |
US7571199B1 (en) | 2000-11-15 | 2009-08-04 | Microsoft Corporation | Method and apparatus for generating random numbers |
US6829355B2 (en) * | 2001-03-05 | 2004-12-07 | The United States Of America As Represented By The National Security Agency | Device for and method of one-way cryptographic hashing |
US7865427B2 (en) | 2001-05-30 | 2011-01-04 | Cybersource Corporation | Method and apparatus for evaluating fraud risk in an electronic commerce transaction |
US7050582B1 (en) * | 2001-06-18 | 2006-05-23 | Lsi Logic Corporation | Pseudo-random one-to-one circuit synthesis |
US7564970B2 (en) * | 2004-08-12 | 2009-07-21 | Cmla, Llc | Exponential data transform to enhance security |
US8077861B2 (en) | 2004-08-12 | 2011-12-13 | Cmla, Llc | Permutation data transform to enhance security |
US7577250B2 (en) * | 2004-08-12 | 2009-08-18 | Cmla, Llc | Key derivation functions to enhance security |
US20030053622A1 (en) * | 2001-09-20 | 2003-03-20 | Aiden Bruen | Method for the construction of hash functions based on sylvester matrices, balanced incomplete block designs and error-correcting codes |
US7526654B2 (en) * | 2001-10-16 | 2009-04-28 | Marc Charbonneau | Method and system for detecting a secure state of a computer system |
US20040015676A1 (en) * | 2002-07-17 | 2004-01-22 | Pierre-Yvan Liardet | Sharing of a logic operator having a work register |
US20040193763A1 (en) | 2003-03-28 | 2004-09-30 | Fujitsu Limited | Inter-bus communication interface device and data security device |
US7921300B2 (en) * | 2003-10-10 | 2011-04-05 | Via Technologies, Inc. | Apparatus and method for secure hash algorithm |
US7698557B2 (en) * | 2003-12-22 | 2010-04-13 | Guardtime As | System and method for generating a digital certificate |
AU2004319170B2 (en) * | 2004-05-03 | 2008-05-01 | Blackberry Limited | System and method for generating reproducible session keys |
US20080282331A1 (en) * | 2004-10-08 | 2008-11-13 | Advanced Network Technology Laboratories Pte Ltd | User Provisioning With Multi-Factor Authentication |
US8183980B2 (en) * | 2005-08-31 | 2012-05-22 | Assa Abloy Ab | Device authentication using a unidirectional protocol |
EP1798888B1 (en) * | 2005-12-19 | 2011-02-09 | St Microelectronics S.A. | DES-algorithm execution protection |
US8122247B2 (en) * | 2006-10-23 | 2012-02-21 | Alcatel Lucent | Processing method for message integrity with tolerance for non-sequential arrival of message data |
WO2008108828A2 (en) * | 2006-10-23 | 2008-09-12 | Lucent Technologies Inc. | Processing method for message integrity with tolerance for non-sequential arrival of message data |
US8204216B2 (en) * | 2006-10-23 | 2012-06-19 | Alcatel Lucent | Processing method for message integrity with tolerance for non-sequential arrival of message data |
WO2008064153A2 (en) * | 2006-11-21 | 2008-05-29 | Lucent Technologies Inc. | Processing method for message integrity with tolerance for non-sequential arrival of message data |
US8595273B2 (en) * | 2007-01-24 | 2013-11-26 | International Business Machines Corporation | Hash algorithm using randomization function |
US20090153290A1 (en) * | 2007-12-14 | 2009-06-18 | Farpointe Data, Inc., A California Corporation | Secure interface for access control systems |
US8156126B2 (en) * | 2008-07-14 | 2012-04-10 | Greenbytes, Inc. | Method for the allocation of data on physical media by a file system that eliminates duplicate data |
EP2316180A4 (en) | 2008-08-11 | 2011-12-28 | Assa Abloy Ab | Secure wiegand communications |
EP2157526B1 (en) * | 2008-08-14 | 2014-04-30 | Assa Abloy Ab | RFID reader with embedded attack detection heuristics |
WO2010151098A1 (en) * | 2009-06-22 | 2010-12-29 | Mimos Berhad | Cryptographic hash function |
WO2011119137A1 (en) | 2010-03-22 | 2011-09-29 | Lrdc Systems, Llc | A method of identifying and protecting the integrity of a set of source data |
KR20120092222A (en) * | 2011-02-11 | 2012-08-21 | 삼성전자주식회사 | Secure boot method and method of generating a secure boot image |
US9300472B2 (en) * | 2011-09-30 | 2016-03-29 | Nokia Technologies Oy | Method and apparatus for improving digital signatures |
GB2502140A (en) * | 2012-05-18 | 2013-11-20 | Omlis Ltd | System and method for transmitting data |
US9251377B2 (en) | 2012-12-28 | 2016-02-02 | Intel Corporation | Instructions processors, methods, and systems to process secure hash algorithms |
US8924741B2 (en) | 2012-12-29 | 2014-12-30 | Intel Corporation | Instruction and logic to provide SIMD secure hashing round slice functionality |
US10038550B2 (en) | 2013-08-08 | 2018-07-31 | Intel Corporation | Instruction and logic to provide a secure cipher hash round functionality |
US10503510B2 (en) | 2013-12-27 | 2019-12-10 | Intel Corporation | SM3 hash function message expansion processors, methods, systems, and instructions |
US9912481B2 (en) | 2014-03-27 | 2018-03-06 | Intel Corporation | Method and apparatus for efficiently executing hash operations |
US9317719B2 (en) | 2014-09-04 | 2016-04-19 | Intel Corporation | SM3 hash algorithm acceleration processors, methods, systems, and instructions |
US9658854B2 (en) | 2014-09-26 | 2017-05-23 | Intel Corporation | Instructions and logic to provide SIMD SM3 cryptographic hashing functionality |
US9558128B2 (en) | 2014-10-27 | 2017-01-31 | Seagate Technology Llc | Selective management of security data |
US9680651B2 (en) | 2014-10-27 | 2017-06-13 | Seagate Technology Llc | Secure data shredding in an imperfect data storage device |
US10452877B2 (en) | 2016-12-16 | 2019-10-22 | Assa Abloy Ab | Methods to combine and auto-configure wiegand and RS485 |
US11410078B2 (en) * | 2019-03-11 | 2022-08-09 | Nxp B.V. | Method and data processing system for making machine learning model more resistent to adversarial examples |
US11411743B2 (en) * | 2019-10-01 | 2022-08-09 | Tyson York Winarski | Birthday attack prevention system based on multiple hash digests to avoid collisions |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CH668340A5 (en) * | 1985-10-17 | 1988-12-15 | Bbc Brown Boveri & Cie | GENERATOR FOR GENERATING BINARY CIFFERENTIAL SEQUENCES. |
US5005200A (en) * | 1988-02-12 | 1991-04-02 | Fischer Addison M | Public key/signature cryptosystem with enhanced digital signature certification |
US4944009A (en) * | 1988-02-25 | 1990-07-24 | Massachusetts Institute Of Technology | Pseudo-random sequence generator |
US5224165A (en) * | 1988-10-25 | 1993-06-29 | Hughes Aircraft Company | High speed word generator |
US4928310A (en) * | 1989-07-17 | 1990-05-22 | Westinghouse Electric Corp. | Pseudorandom pulse code generators using electro-optical XOR gates |
US5432852A (en) * | 1993-09-29 | 1995-07-11 | Leighton; Frank T. | Large provably fast and secure digital signature schemes based on secure hash functions |
-
1995
- 1995-11-16 US US08/559,213 patent/US5608801A/en not_active Expired - Lifetime
-
1996
- 1996-10-31 CA CA002237941A patent/CA2237941C/en not_active Expired - Fee Related
- 1996-10-31 WO PCT/US1996/017449 patent/WO1997018652A1/en not_active Application Discontinuation
- 1996-10-31 EP EP96941950A patent/EP0861539A4/en not_active Withdrawn
- 1996-10-31 JP JP51888597A patent/JP3187843B2/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
WO1997018652A1 (en) | 1997-05-22 |
JP3187843B2 (en) | 2001-07-16 |
EP0861539A1 (en) | 1998-09-02 |
EP0861539A4 (en) | 2000-08-16 |
CA2237941A1 (en) | 1997-05-22 |
US5608801A (en) | 1997-03-04 |
JPH11500241A (en) | 1999-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2237941C (en) | Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions | |
WO1997018652A9 (en) | Efficient cryptographic hash functions and methods for amplifying the security of hash functions and pseudo-random functions | |
US5365589A (en) | Method and apparatus for encryption, decryption and authentication using dynamical systems | |
Cha et al. | An efficient implementation of braid groups | |
Nyberg | Fast accumulated hashing | |
Malkin et al. | Efficient generic forward-secure signatures with an unbounded number of time periods | |
Shoup | Using hash functions as a hedge against chosen ciphertext attack | |
Rogaway | Bucket hashing and its application to fast message authentication | |
US5297207A (en) | Machine generation of cryptographic keys by non-linear processes similar to processes normally associated with encryption of data | |
CN101076968B (en) | Cryptographic primitives, error coding, and pseudo-random number improvement methods using quasigroups | |
US4996711A (en) | Selected-exponent signature systems | |
Pieprzyk et al. | Design of hashing algorithms | |
Goldreich | A note on computational indistinguishability | |
JPS58181350A (en) | Method and device for holding secret of digital communication in open communication channel | |
Mironov | Hash functions: From merkle-damgård to shoup | |
WO1993003559A1 (en) | Nonlinear dynamic substitution devices and methods for block substitutions | |
Knudsen et al. | Cryptanalysis of MDC-2 | |
Deepthi et al. | Design, implementation and analysis of hardware efficient stream ciphers using LFSR based hash functions | |
Sarkar | Hiji-bij-bij: A new stream cipher with a self-synchronizing mode of operation | |
Bakhtiari et al. | A message authentication code based on latin squares | |
Canetti et al. | Bounds on tradeoffs between randomness and communication complexity | |
Mihaljevic et al. | A family of fast dedicated one-way hash functions based on linear cellular automata over GF (q) | |
Miroschnyk et al. | Practical methods for de Bruijn sequences generation using non-linear feedback shift registers | |
Mitra et al. | Time-memory trade-off attacks on multiplications and T-functions | |
CN101202618A (en) | Method and apparatus for generating message summary by ring iterative structure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |