CN102638344A - Method for constructing reinforced hash function based on compression function - Google Patents
Method for constructing reinforced hash function based on compression function Download PDFInfo
- Publication number
- CN102638344A CN102638344A CN2012100738596A CN201210073859A CN102638344A CN 102638344 A CN102638344 A CN 102638344A CN 2012100738596 A CN2012100738596 A CN 2012100738596A CN 201210073859 A CN201210073859 A CN 201210073859A CN 102638344 A CN102638344 A CN 102638344A
- Authority
- CN
- China
- Prior art keywords
- reinforcing
- function
- compression function
- compression
- hash
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007906 compression Methods 0.000 title claims abstract description 51
- 230000006835 compression Effects 0.000 title claims abstract description 47
- 238000000034 method Methods 0.000 title abstract description 13
- 230000003014 reinforcing effect Effects 0.000 claims abstract description 20
- 238000004458 analytical method Methods 0.000 claims abstract description 7
- 238000010276 construction Methods 0.000 claims description 6
- 230000003139 buffering effect Effects 0.000 description 7
- 125000004122 cyclic group Chemical group 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000002787 reinforcement Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- PXFBZOLANLWPMH-UHFFFAOYSA-N 16-Epiaffinine Natural products C1C(C2=CC=CC=C2N2)=C2C(=O)CC2C(=CC)CN(C)C1C2CO PXFBZOLANLWPMH-UHFFFAOYSA-N 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012804 iterative process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Landscapes
- Compression, Expansion, Code Conversion, And Decoders (AREA)
Abstract
The invention belongs to the field of information safety, in particular to the cryptology field, and relates to a method for reinforcing a hash function based on a compression function. The method is used for reinforcing key loops of the hash function, namely reinforcing a first group of the compression function and a final group of the compression function, and increasing the operations of multiple bits or utilizing a present safety group code algorithm by aiming at a majority of operations of a present hash function based on a single bit. The method comprises the following steps of: reinforcing by taking a method of resisting a current differential code analysis and the like as the principal method, also considering about some other attacks, such as a second preimage attack, further adding an input variable in the input of the final group of the compression function, namely a simple compression manner of all group information. The reinforcing method disclosed by the invention has the advantages that when key groups are reinforced, the increase of calculated amount is not large along with the increase of the length of a plaintext; and the decoding obstacle is configured through the most key position, the preimage attack, collision attack, the second preimage attack and the like can be effectively resisted.
Description
Technical field
The invention belongs to information security field, relate to a kind of building method of the one-way hash function based on compression function.
Background technology
Learn in the conference at international cryptography in 2004, the collision result for a series of Hash functions that people such as Wang Xiaoyun announce comprises MD4, MD5, and HAVAL-128 and RIPEMD algorithm wherein can find the complexity of MD4 and RIPEMD algorithm collision to be lower than 2 respectively
8With 2
18Wang Xiaoyun has proposed the new analytical technology to the serial Hash function of MDx of a cover, has provided the method that obtains satisfying difference route adequate condition simultaneously, and how to use the technological probability of success that improves collision attack of expressly modification.2005, Wang Xiaoyun etc. used this technology to MD5, and SHA-0 SHA-1 algorithm carries out collision attack, has obtained good effect, can in reality, find collision very soon.This attack technology has proposed stern challenge to existing Hash function, and existing good method for designing need further be improved.Existing hash function is based on a kind of algorithm of iteration, and the used compression function of its iteration is identical, possibly have some attacks under these circumstances, such as collision attack, preimage attack and the second preimage attack etc.
Summary of the invention
Existing hash (being translated into Hash, hash, hash again) function mainly contains two big types; They are the basic calculating unit with compression function and block cipher respectively, and the hash function of constructing with compression function is an example, and it carries out certain filling with clear-text message and handles; After then message being divided into groups; Divide into groups to adopt identical compression function to compress to each successively, computing obtains the hash value after a last grouping.This project organization is simple, is convenient to understand and realization, still; But have certain irrationality: first divides into groups to divide into groups to adopt identical compression function with intermediate packets with last; And first divides into groups with the processing of last grouping special character is arranged, and first divides into groups owing to the compression result that does not have the front, so need a definite initial value to participate in computing; This value is constant; Cryptanalytic the time, the nonoptional degree of freedom, and last grouping comprises certain padding data and about the information of message-length; Have bigger redundancy, and be complete freedom, (cast aside redundancy expressly) at random unlike other the data of grouping.Such redundant data is disadvantageous for cryptanalysis, because selective always good for any one bit of cryptanalysis person than there not being selectivity, and last grouping comprises about message-length information.Therefore, the present invention considers to reinforce this two groupings.The reason that these two groupings are strengthened has: the first, and they are difficult parts to crack, attacking for the preimage of hash function is must each backstepping that divides into groups be come out, and like this, strengthens the most difficult grouping and will let to decode difficulty bigger.The second, they are the groupings that must exist, and in the time of special, first grouping is exactly last grouping, and intermediate packets possibly be non-existent, so from this angle, strengthen and must grouping can strengthen fail safe.The 3rd, for very long plaintext, if the operand of intermediate packets is very big; The operand that then calculates hash can be very big; So the amount of calculation of intermediate packets should be less, intermediate packets should not adopt identical compression function with the most preceding and last grouping like this; The intermediate packets employing is simple relatively, and relatively more complicated algorithm is then more acceptant in the most preceding and last grouping employing.The 4th, last grouping contains important information, promptly about the information of plaintext length; If can arbitrarily crack this grouping, then the analyst might set arbitrarily and forge the expressly length of (collision message), and this is favourable for cracking; Because cryptanalysis person can set according to the needs of oneself and forge length expressly; Select length more favourable, that decode the most easily, usually, he may set the shortest; Make the message of filling after handling be no more than a block length, the workload of decoding like this can be less.Because hash is many-to-one mapping; Hash block length such as having is 512bit; Hash value length is 128bit; Even the length of setup message (information for some hash clear-text message length is 64bit) for a definite hash value, also has a large amount of message corresponding with this hash value under this message-length on average.This shows that last grouping need be reinforced.The 5th, it all is that the situation of considering two clear packets or single clear packets is sought collision that more existing hash analyze great majority, and first divides into groups the design's reinforcing and last grouping, and making these hash analyze can't walk around.
In view of top analysis; And the defective of traditional hash function; Consider among the present invention first grouping is reinforced with last grouping, particularly last grouping should be adopted effective reinforcement means: first divides into groups to adopt the compression function F that reinforces, compare safety
1, intermediate packets adopts common compression function F
z, last divides into groups to adopt the compression function F that reinforces
nThe message M of last grouping
nCompression function handle the compression function F of this grouping especially
nIncreased an input variable Y, Y compresses all clear packets and obtains, i.e. Y=F
y(M
1, M
2..., M
n), F
yBe a function that operand is lower, that is to say final hash value H
n=F
n(Y, M
n, H
N-1); Increasing compressed value Y is to prevent to utilize the fragility of intermediate compression function and implement collision attack and second preimage is attacked as the purpose of input variable, in order to reduce the operand that calculates Y, can adopt comparatively simple function; Such as can XOR being carried out in all groupings; Perhaps simple mould adds computing and obtains Y, when having only one to divide into groups, directly adopts and should divide into groups as Y.
The method of reinforcing can be considered the defective of existing hash function and carry out; Such as considering existing differential cryptanalysis; Can on the basis of original algorithm, increase S box or other resisting differential analysis component; Consider that the compression of existing hash function great majority all is other computing of bit level, the parts that increase many bit compressions are followed the tracks of to prevent bit, and the design of existing block cipher is as safe as a house, ripe in addition; Can divide into groups to adopt compression method for these two, perhaps carry out multiple arithmetic or the like based on symmetry algorithm.Consider that two that existing many difference analysis rely on are divided into groups to adopt identical algorithms, the compression function employing various structure of first and last grouping, the compression function F of last grouping
nCan design complicatedly, safer more, when two groupings overlap, choose the function of last grouping.Consider the simplification of hash function structure, the reinforcing of these two groupings can increase some computings on the basis of the compression function of intermediate packets, or adopts the computing of multiple same compression function, considers to increase the parts that resisting differential is analyzed especially.
Description of drawings
Fig. 1 is a hash iteration sketch map of the present invention.
Embodiment
Below being embodiment, is example to reinforce SHA-1.
Intermediate packets still adopts the compression function F of not too safe SHA-1
z, because this function is very clear, so no longer detail here.The function F of first reinforcing inequality of dividing into groups to adopt with last grouping
1And F
nThe algorithm of reinforcing is the same with SHA-1 to be to be the basis with the compression function, and it has the intermediate object program of a buffer stores computing 160bit and final hash H as a result
i, i is the order that divides into groups, its input then is the clear packets M of 512bit
iIntermediate object program H with previous grouping
I-1, last grouping has increased an input Y.The iterative process of Hash can be represented as follows: H
1=F
1(M
1, H
0), H wherein
0Be buffering area initial value, H
i=F
i(M
i, H
I-1), wherein i is greater than 1 less than n, H
n=F
n(Y, M
n, H
N-1), n is the grouping number.
First packed compressed function F
1Reinforcement means be embodied in divide into groups input and buffering area intermediate operations result's S box of message and replace and two aspects of left cyclic shift: the first, at clear packets M
1Carry out the replacement of S box and obtain M
s, then to the M of the 512bit that obtains
sIntegral body is carried out left cyclic shift 4bit and is obtained M
S4, then with M
S4As function F
ZeInput, F wherein
ZeCompression function F for intermediate packets
zReinforcing, H
1=F
1(M
1, H
0)=F
Ze(M
S4, H
0), the second, F
ZeFunction is at original compression function F
zThe basis on reinforce the function that obtains, F
ZeFunction is to F
zReinforcing is embodied in F
z20 steps and 21 steps between, between 40 steps and 41 steps, between 60 steps and 61 steps the result of buffering area is carried out the replacement of S box earlier; Carry out left cyclic shift again; Always have 80 step iteration in the middle of the compression function of SHA-1, the value of reinforcing the 160bit that is embodied in respectively the buffering area that 20 steps, 40 steps, 60 steps are obtained adopts the replacement of S box, and replacement back integral body is carried out left cyclic shift 12bit; The isometric 160bit result who obtains still is stored in buffering area; Computing below participating in, S box and left cyclic shift are used for anti-more existing hash to be analyzed, and is the introduction to present embodiment S box below:
The unit of S box replacement is 8bit, and the replacement of S box adopts calculation step following: 1) message being divided into groups with 8bit is that unit transformation is GF (2
8) on multiplicative inverse, extraly, Binary Zero 0000000 is mapped as 00000000,2) adopt affine transformation following to the result of front inverse operation:
The all S boxes that adopt in describing above all are both above-mentioned S box, and following S box also is to adopt this S box.
The reinforcement means of last grouping avoids bit to follow the tracks of and difference analysis except adopting the S box; Also adopt the algorithm that changes to prevent the bit rank is followed the tracks of; Prevent that carrying out preimage through the method that definite algorithm establishes an equation attacks, because the input of last function comprises the compression Y and last grouping M of all clear packets
n, in the present embodiment, with this compression function F
nCompression function F with two intermediate packets
zFor the basis reinforces, be convenient to algorithm like this and realize, can directly call the class or the storehouse of middle compression function, reduced the complexity of system.Last grouping reinforcement means is following:
1) XOR is carried out in all groupings expressly one by one, obtain the final compressed packet Y of 512bit, i.e. Y=M
1Xor M
2Xor ... M
N-1Xor M
nAdopt above-mentioned S box to replace to Y and obtain M
Y, the S box of employing is the same.With M
Y512bit be divided into the unit of 16bit, these unit are carried out XOR, the binary data of the 16bit that obtains is divided into 2 8bit data successively, its value is R
1And R
2
2) Y is carried out the M as a result that the S box is replaced
YCarry out left cyclic shift R
1Bit obtains M
Ym, to the binary data M that obtains
YmAdopt compression function F
zCompression, buffering area adopts H
N-1, obtain the new intermediate object program A of 160bit
f=F
z(M
Ym, H
N-1).
3) with M
nAdopt the message M after the S box is replaced
NsLeft once more cyclic shift R
2Bit obtains M
Nsm, adopt compression function F
zTo M
NsmCompress the A that the value of buffering area adopts back to calculate
f, computing obtains the operation result of this grouping, just final hash functional value H
n=F
z(M
Nsm, A
f).
Claims (5)
1. the hash function construction method based on compression function of a reinforcing; It is characterized in that first is different with the compression function of last grouping and the compression function of intermediate packets; Make with the compression function of last grouping and their complicacy and safety more to adopt the safe arithmetic unit of some resisting differential analyses that their compression function is reinforced through reinforcing first.
2. the hash function construction method based on compression function of a reinforcing as claimed in claim 1, it is characterized in that: the compression function of last grouping has increased input variable Y, i.e. a H
n=F
n(Y, M
n, H
N-1), M wherein
nFor last message is divided into groups H
N-1Be the result that the penult grouping obtains, Y is a compression of all grouping informations of front, Y=F
Y(M
1, M
2, M
3..., M
n), F
YIt is a function that operand is lower.
3. the hash function construction method based on compression function of a reinforcing as claimed in claim 1, it is characterized in that: the resisting differential analysis component of reinforcing can adopt and prove safe S box.
4. the hash function construction method based on compression function of a reinforcing as claimed in claim 1 is characterized by the parts for first many bit computing of dividing into groups should increase with the reinforcing of last grouping.
5. the hash function construction method based on compression function of a reinforcing as claimed in claim 1 is characterized by for first and divides into groups can utilize safe block cipher to reinforce for the basis with the calculating of last grouping.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210073859.6A CN102638344B (en) | 2012-03-20 | 2012-03-20 | Method for constructing reinforced hash function based on compression function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210073859.6A CN102638344B (en) | 2012-03-20 | 2012-03-20 | Method for constructing reinforced hash function based on compression function |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102638344A true CN102638344A (en) | 2012-08-15 |
| CN102638344B CN102638344B (en) | 2015-04-22 |
Family
ID=46622597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210073859.6A Active CN102638344B (en) | 2012-03-20 | 2012-03-20 | Method for constructing reinforced hash function based on compression function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102638344B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158648A (en) * | 2013-05-14 | 2014-11-19 | 罗伯特·博世有限公司 | Method and device for generating Hash value |
| CN104954141A (en) * | 2015-07-09 | 2015-09-30 | 南京航空航天大学 | Lightweight hash function hvh coding technology |
| CN107563223A (en) * | 2017-09-12 | 2018-01-09 | 四川阵风科技有限公司 | Information processing method, device and electronic equipment |
| CN110858832A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Password information reinforcement and data processing method, device, system and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483519A (en) * | 2008-01-11 | 2009-07-15 | 索尼(中国)有限公司 | Compressing function apparatus for generating hash function, hash function system and method |
| CN101872338A (en) * | 2010-06-04 | 2010-10-27 | 杭州电子科技大学 | Modified SHA-1 hash algorithm |
-
2012
- 2012-03-20 CN CN201210073859.6A patent/CN102638344B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101483519A (en) * | 2008-01-11 | 2009-07-15 | 索尼(中国)有限公司 | Compressing function apparatus for generating hash function, hash function system and method |
| CN101872338A (en) * | 2010-06-04 | 2010-10-27 | 杭州电子科技大学 | Modified SHA-1 hash algorithm |
Non-Patent Citations (1)
| Title |
|---|
| 李志敏等: "可用于哈希函数的安全迭代结构", 《北京邮电大学学报》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104158648A (en) * | 2013-05-14 | 2014-11-19 | 罗伯特·博世有限公司 | Method and device for generating Hash value |
| CN104158648B (en) * | 2013-05-14 | 2019-03-29 | 罗伯特·博世有限公司 | Method and apparatus for generating cryptographic Hash |
| CN104954141A (en) * | 2015-07-09 | 2015-09-30 | 南京航空航天大学 | Lightweight hash function hvh coding technology |
| CN107563223A (en) * | 2017-09-12 | 2018-01-09 | 四川阵风科技有限公司 | Information processing method, device and electronic equipment |
| CN110858832A (en) * | 2018-08-22 | 2020-03-03 | 阿里巴巴集团控股有限公司 | Password information reinforcement and data processing method, device, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102638344B (en) | 2015-04-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Biryukov et al. | Argon2: new generation of memory-hard functions for password hashing and other applications | |
| Dinur et al. | New attacks on Keccak-224 and Keccak-256 | |
| RU2638639C1 (en) | Encoder, decoder and method for encoding and encrypting input data | |
| CN114640454B (en) | Cryptographic system of post quantum cryptography crystal Kyber protocol | |
| CN102638344B (en) | Method for constructing reinforced hash function based on compression function | |
| US11303617B2 (en) | Methods and apparatuses for oblivious transfer using trusted environment | |
| Dinur et al. | Improved practical attacks on round-reduced Keccak | |
| CN110336643B (en) | Data processing method based on edge computing environment | |
| Kuznetsov et al. | Performance analysis of cryptographic hash functions suitable for use in blockchain | |
| Bavdekar et al. | Post quantum cryptography: a review of techniques, challenges and standardizations | |
| Tiwari | Merkle-Damgård construction method and alternatives: a review | |
| Chen et al. | Lightweight privacy-preserving training and evaluation for discretized neural networks | |
| CN102542070B (en) | Method for structuring one-way Hash function based on random function | |
| Dawood et al. | An analytical study for some drawbacks and weakness points of the AES cipher (rijndael algorithm) | |
| Kölbl et al. | Differential cryptanalysis of Keccak variants | |
| CN110909387B (en) | Method and device for saving and recovering private data based on secure multi-party computing | |
| Mendel et al. | Cryptanalysis of round-reduced HAS-160 | |
| CN115834062A (en) | Enterprise data transmission encryption method for data hosting service | |
| CN102546159B (en) | Random one-way hash function construction method capable of preventing table check-up attack | |
| Dunkelman et al. | Generalizing the herding attack to concatenated hashing schemes | |
| Indesteege et al. | Practical collisions for EnRUPT | |
| Patil et al. | Design and implementation of keccak hash function for cryptography | |
| Avoine et al. | Interleaving cryptanalytic time-memory trade-offs on non-uniform distributions | |
| Avoine et al. | Stairway To Rainbow | |
| Papadopoulos et al. | Broadcast erasure channel with feedback and message side information, and related index coding result |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Yong Inventor after: Liu Jianming Inventor after: Wang Huadeng Inventor after: Cai Guoyong Inventor after: Fu Li Inventor after: Chen Zhiyong Inventor before: Wang Yong Inventor before: Wang Huadeng Inventor before: Cai Guoyong Inventor before: Fu Li Inventor before: Chen Zhiyong |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: WANG YONG WANG HUADENG CAI GUOYONG FU LI CHEN ZHIYONG TO: WANG YONG LIU JIANMING WANG HUADENG CAI GUOYONG FU LI CHEN ZHIYONG |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20120815 Assignee: Guilin Youman Network Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000203 Denomination of invention: A reinforced hash function construction method based on compression function Granted publication date: 20150422 License type: Common License Record date: 20221125 Application publication date: 20120815 Assignee: Guilin Biqi Information Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000196 Denomination of invention: A reinforced hash function construction method based on compression function Granted publication date: 20150422 License type: Common License Record date: 20221125 Application publication date: 20120815 Assignee: Guilin Beida Information Technology Co.,Ltd. Assignor: GUILIN University OF ELECTRONIC TECHNOLOGY Contract record no.: X2022450000199 Denomination of invention: A reinforced hash function construction method based on compression function Granted publication date: 20150422 License type: Common License Record date: 20221125 |
|
| EE01 | Entry into force of recordation of patent licensing contract | ||
| OL01 | Intention to license declared |