KR20080044150A - Apparatus and method for mapping out compressed function of a hash mode of operation for block cipher - Google Patents

Abstract

An apparatus and a method for mapping out a compression function of a hash mode of operation for a block cipher are provided to be used in a light weight hash function in case that secrecy and integrity are concurrently necessary in a light weight environment like RFID. An apparatus for mapping out a compression function of a hash mode of operation for a block cipher(10) includes the first block ciphering unit, the second block ciphering unit, the first replacement unit, the third block ciphering unit, the fourth block ciphering unit and the second replacement unit. The first block ciphering unit performs block ciphering for an upper bit Hi-1 of Mi and an arbitrary n bit constant c by a key having a 2n length wherein the Mi is the i-th plain text message resulted from division of 2n bit plain text message by n bit. The second block ciphering unit performs block ciphering for Gi-1 by a key having a 2n length wherein the Gi-1 is one among remaining plain text messages resulted from division of Mi by n bit. The first replacement unit replaces a result value having n length, outputted by the first block ciphering unit, with an upper n/2 bit and a lower n/2 bit of the result value, outputted by the second block ciphering unit, and obtains two n bit values. The third block ciphering unit ciphers one n bit value, replaced by the first replacement unit, by a key having a 2n length. The fourth block ciphering unit performs block ciphering for the other n bit value, replaced by the first replacement unit, by a key having a 2n length. The second replacement unit replaces a result value, outputted by the third block ciphering unit, with a result value, outputted by the fourth block ciphering unit.

Description

Apparatus and method for mapping out compressed function of a hash mode of operation for block cipher}

The present invention relates to an apparatus and method for designing a compression function in a block cipher hash operating mode. More particularly, the present invention relates to the fabrication of a hash function algorithm that can operate in a lightweight environment such as RFID (Radio Frequency IDentification). An apparatus and method for designing a compression function of a hash mode of operation (NHM) are described.

In general, a hash function is a function that abbreviates a message of arbitrary length to a value of fixed length n: {0, 1} ^* → {0, 1} ⁿ . The hash function used in cryptography is The properties of 1 to 3 primary reversed phase avoidance, secondary reversed phase avoidance and collision avoidance must be satisfied, each of which is summarized as follows.

First order inverse avoidance: It must be computationally impossible to find any message abbreviated to a given hash value. That is, the complexity of finding m such that H (m) = y for a given y must be greater than or equal to the given safety.

2. Secondary reverse phase avoidance: It must be computationally impossible to find another message that is abbreviated to the same value as the hash value of a particular message. That is, for a given m and H (m), the complexity of finding m 'where m ≠ m' and H (m) = H (m ') must be greater than or equal to the given safety.

3. Collision avoidance: It must be computationally impossible to find any two different messages m, m 'with the same hash value. That is, the complexity of finding any message pair m, m '(m ≠ m') where H (m) = H (m ') must be greater than or equal to the given safety.

The above conditions are properties that must be satisfied on the assumption that the initial value of the hash function is fixed beforehand. Under stronger conditions, the initial value of each hash function can be assumed to be free-started by the attacker. In this case, the properties that the hash function must satisfy are as follows. Here, H (h, m) means a hash value for m of the hash function H having h as an initial value.

Free-start first order reversed-phase avoidance: The complexity of finding the initial values h and m where H (h, m) = y for a given y must be greater than or equal to the given safety.

2. Free-start 2nd order reverse phase avoidance: Initial values h 'and m where m ≠ m' and H (h, m) = H (h ', m') for a given m and H (h, m) The complexity of finding 'should be more than a given safety.

Free-start collision avoidance: The complexity of finding any initial values h, h 'and messages m, m' (m ≠ m ') where H (h, m) = H (h', m '). It must be above the safety given.

In general, hash functions are designed using the Merkle-Damgard (MD) method proposed by Merkle and Damgard. And an initial value are required.

1. Compression Function: A function that converts n'bit messages into nbits.

f: {0, 1} ⁿ × {0, 1} ^{n '} → {0, 1} ⁿ

2. Message segmentation: The process of dividing an input message into partial messages of length n '. That is, M = M ₁ ∥ ····· ∥M _k , M _i ∈ {0,1} ^{n '} .

3. Initial value: Fixed value h ₀ ∈ {0, 1} ⁿ with length ⁿ .

After such a preset, the actual hash value h _i and the hash function H (m) are calculated as follows.

h _i = f (h _{i -1} , m _i ) for i = 1, ...

H (m) = h _k .

The hash function is divided into a dedicated hash function and a block cipher based hash function according to the design method of the compression function.

Dedicated hash functions began to be developed in the early 90's due to the necessity of efficient hash functions in software since the block ciphers used at that time were not efficient in software.

The block cipher-based hash function refers to a method of using a previously designed block cipher as a compression function of the hash function. As a result, defects are found in accordance with the safety of the dedicated hash functions recently, and the software efficiency of the block cipher is more noticeable than before. The trend is getting.

Apart from safety, the design method of block cipher-based hash function has the advantage of implementing the hash function with minimum additional resources when the block cipher is already installed in hardware implementation of information security products. This advantage is more prominent in environments where block ciphers and hash functions must be operated simultaneously in lightweight environments such as RFID.

The design of a block cipher-based hash function means a design of a method of obtaining the output value of a new compression function by inputting a compression function result value of a previous message block and a current message block in an appropriate manner in a block password. This can be regarded as designing a specific operation mode of the block cipher, and therefore, the following description will be made by considering the block cipher based hash function as the same concept as the hash operation mode.

The hash operation mode is a single block length (SBL) operation mode having an output length equal to the output length of the block cipher according to the output length of the hash function, and a double block having an output length twice the output length of the block cipher. DBL (double block length) is divided into operation mode. When the output length of the block cipher is n, the basic safety of each mode is equal to or less than the value shown in Table 1 below.

 Mode type 1st reverse attack 1st reverse attack Crash Pair Attack SBL 2 ⁿ 2 ⁿ 2 ^{n / 2} DBL 2 ²ⁿ 2 ²ⁿ 2 ⁿ

Meanwhile, there is a concept of hash rate as a measure of efficiency of hash operation mode. Intuitively, this means the number of block cipher operations required to compress a message having the same length as the block cipher input length into a hash function. The length of the input / output length of the block cipher is m and a block inputted into the hash function compression function. If the length of the message is n and the number of block ciphers used in the compression function is k, HR is n / mk.

The hash operation mode varies greatly in design direction depending on the key and I / O size of the block cipher to be used as the compression function. When a block cipher with an input / output size of n and a key size of k is called a (n, k) block cipher, most of the proposed DBL operating modes are designed based on (n, n) or (n, 2n) block ciphers. It became.

However, as described above, when confidentiality and integrity are simultaneously required in a lightweight environment such as RFID, it is difficult to independently implement an encryption function and a hash function due to limitations of hardware resources.

In this case, it is necessary to use the hash operation mode designed as a hash function using a block cipher implemented to secure confidentiality without implementing the hash function independently.

In order to overcome this problem and meet the need, S. Hirose's paper, "Provably secure double-block-length hash functions in a black-box model" (LNCS, Vol., No. 3506, 330-342PP., 2006) discloses a solution to the problem.

In this paper, a new efficient DBL hash function is proposed and the process of proving its safety under the black box model is disclosed.

As described above, the hash operation mode may be variously designed according to the type and configuration method of the block cipher. However, 64-bit block ciphers are likely to be used in harsh environments such as RFID. In the case of the SBL operation mode using the block cipher as a compression function, the safety against collision pair attack becomes 2 ^{32, which} is a safety problem. Therefore, the present invention is designed in the DBL hash operation mode. In addition, if the key size of a block cipher having a 64-bit input / output is 64 bits, it is appropriate that the key size is 128 bits because it is not secured by a full investigation attack. Therefore, the hash operation mode for RFID is appropriately designed to be an operation mode based on the (n, 2n) block cipher.

Previously, DBL hash operation modes based on (n, 2n) block ciphers have been proposed. However, the proposed schemes are designed without considering the free-start condition among the conditions to be satisfied by the hash function. Free-start conditions may or may not be considered in the safety analysis depending on the hash function operating environment. However, in the case of proving the safety of the hash function, if the safety of the free-start cases is proved, the safety of the cases with naturally fixed initial values is often proved. In addition, in the case of the hash function used for RFID, situations in which the initial value is variously selected according to the protocol in which the hash function is utilized occur. In this case, it is more reasonable to consider the safety against free-start attacks than to assume a fixed initial value. Therefore, NHM is designed to meet free-start safety conditions.

However, the DBL hash function based on the block cipher of the paper has a problem that it is not possible to secure the safety against free stasrt collision pair attack.

The present invention has been proposed to solve the above-mentioned problems and to meet the above-mentioned necessity. The object of the present invention is to provide a (n, 2n) block cipher based block cipher hash operation mode with 2 ⁿ safety against free-start collision pair attack. It is to provide a compression function design apparatus and method.

In the apparatus for designing a compression function of a block cipher hash operation mode of the present invention, the message length of the plaintext message M is padded in multiples of 2n bits, and then, this is set as M ', and the length of M' is expressed as k 2n bit blocks M ₁ as follows. Compression function design device of hash operation mode that blocks encryption by dividing by ..., M _k , H, which is the upper bit of M _i , the i th plaintext message of each plaintext message divided by 2 bits first block encrypting means for block ciphering _{i -1} and an arbitrary constant c of n bits with a key of length 2n, and G _{i -1} , which is the other of each plaintext obtained by dividing M _i by n bits, 2n The upper n / 2 bits and the lower of the second block encryption means for block encryption with a key of length, the n-length result value output by the first block encryption means and the n-length result value output by the second block encryption means. Two n bits by replacing n / 2 bits each A first substitution means for obtaining a value of, a third block encryption means for encrypting any n-bit value substituted by the first substitution means with a key of 2n length, and an n-bit value obtained by the first substitution means. A fourth block encrypting means for block ciphering the other one of the two values with a key having a length of 2n, and second replacing means for mutually replacing the result from the third block encrypting means and the result of the fourth block encrypting means. It is characterized by.

In addition, the method of designing a compression function of the block cipher hash operation mode of the present invention, after padding the message length of the plain text message M in multiples of 2n bits, is called M ', and the length of M' is k 2n bit blocks M ₁ , ..., assuming that a compression function design of the hash operation mode method for dividing a block encrypted with _k M, plain-text message of the higher-order bits M _i H _{i -1} is called, and the lower bits of the G _{i -1,} H _{i -} A first block encryption step of receiving ₁ and outputting encrypted α, a second block encryption step of receiving G _{i- 1} and outputting encrypted β, α in the first block encryption step, and a second block Encrypted α 'is input by inputting either the first substitution step for substituting each of the upper n / 2 bits and the lower n / 2 bits of β in the encryption step, and the two values obtained in the first substitution step. The third block encryption step of obtaining and the other of the two values obtained in the first substitution step A fourth block encryption step of acquiring the encrypted β 'by inputting me, and an upper n / 2 bit and a lower n / 2 respectively of α' in the third block encryption step and β 'in the fourth block encryption step And a second permutation step of acquiring the ciphertext by substituting the bits.

In addition to the block cipher, additional resources required for the implementation of the NHM are as follows.

1. 2n bit registers required to store connection variables

2. Additional n-bit register to store a block of messages

3. Initial connection variable 2n bits and internal constant n bits

4. Selection logic for implementing block ciphers with 4-block concatenation

If n is assumed to be 64, as in an environment where NHM is expected to be utilized, it takes about 2,000 gates to implement more resources in hardware. On the other hand, from the operation efficiency point of view, depending on the implementation method, if only one block password is implemented, there is an effect that is expected to show about 50% of the block password speed.

As mentioned above, NHM can be implemented with only a few additional resources. Therefore, when the confidentiality and integrity are required at the same time in a lightweight environment such as RFID, NHM has the advantage that it is possible to implement the hash function using only a small amount of additional resources in addition to the already implemented block password. In addition, unlike the existing operation mode, it is designed to maintain safety even under free-start conditions, thereby providing higher safety to information protection protocols such as RFID.

With reference to the accompanying drawings will be described in more detail with respect to the configuration of the present invention.

1 is a block diagram showing a compression function operation process and a connection state of a hash mode operation according to an embodiment of the present invention, Figure 2 is a state diagram showing the configuration of a block cipher in accordance with Figure 1 of the present invention in more detail. .

Referring to FIGS. 1 and 2, FIG. 1 illustrates an operation of the compression function f.

In order to maximize the implementation efficiency while achieving the above objectives, NHM was designed with the following considerations in mind.

1. It is known that using only two blocks is not safe for free-start attacks. Therefore, four blocks were designed to provide target safety.

2. Considering the implementation efficiency, the message input size is set to 2n bits so that the hash rate is 1/2.

3. When all the input messages are entered in the key of the block cipher, it is considered that there is a problem of safety.

4. If the operation results of four given blocks do not affect each other, it is possible to analyze four times the safety analysis results of each block cipher, so that all blocks can influence each other.

5. If the input message is input in the same two block steps and the other two block steps, it can be analyzed using the analysis results of the two block steps. .

6. In order to minimize additional resource generation factors in the implementation, I / O positions of messages and connection variables are adjusted.

7. Constants are used in part to ensure that the values of plaintext and keystrokes are not equal for each block.

Hereinafter, a detailed algorithm of the hash operation mode will be described.

The same block password is used four times using four blocks. The key is divided into two areas (2n bits), with the upper n bits on the left and the lower n bits on the right.

c가 되고, 블록암호에 사용될 키가 m₁∥m₂∥G_i-1이 된다. 여기서, m₁∥m₂∥G_i-1은 비트열 m₁, m₂ 및 G_i-1의 연접을 의미한다. That is, the length of the input and output of the block cipher is n, the length of the key is 2n, the message M = m ₁ ∥ m ₂ ∥ m ₃ ∥ m ₄ is 2n, and the length of each m _i is n / 2. . For example, in the upper left block cipher of four block ciphers, the input of the block cipher is H _i-1

c becomes the key to be used for the block cipher, m ₁ ∥m ₂ ∥G _i-1 . Here, m ₁ ∥m ₂ ∥G _i-1 means a concatenation of the bit strings m ₁ , m ₂ and G _i-1 .

Next, the padding method of NHM is demonstrated.

The hash function operates in units of message blocks with a fixed size. Therefore, in order to abbreviate a message having an arbitrary length, it is necessary to additionally pad an appropriate bit string so that the length of the padded message is a multiple of the input message block size of the hash function. NHM padding method uses three methods according to the usage environment as follows.

Padding scheme 1: the length of the input message M is not fixed

Append `1 'to the end of M

-'0' is continuously added after `1 'so that M' = M∥100... 0 is 2n × k-n.

-Write the bit length of M as n bits and add it after M '.

Finally, the length of the padded message is a multiple of 2n.

Padding scheme 2: The length of M is always 2n-1 bits or less

Append `1 'to the end of M

-'0' is added continuously so that the length of M∥100..0 is 2n. (If M is (2n-1), only '1' needs to be added.)

Padding scheme 3: M is always 2n bits long

In this case, no padding is done.

As a general hash function, padding method 1 is generally used. However, NHM was developed for the purpose of being used in a lightweight environment such as RFID, and it is expected that the input message of the hash function is often within 1 block or has a fixed length. Even in the case where only messages within 1 block are accepted, the application of the padding scheme 1 has a problem that the efficiency is reduced to 1/2 without any impact on safety. Therefore, the padding scheme of NHM may selectively use padding scheme 2 and padding scheme 3 according to the use environment.

Next, the algorithm operation method of NHM is demonstrated.

The process of calculating the hash value of the message M using the NHM is as follows.

1. Select an appropriate one of the padding schemes described above to adjust the message length to a multiple of 2n bits, and call it M '.

2. When the length of M 'is 2n × k (k ≧ 1), it is divided into _k 2n bit blocks M ₁ ,..., M _k as follows.

M '= M ₁ ∥ M ₂ ∥ ・ ・ ∥ M _k .

3. Carry out the following procedure increasing i from 1 to k:

Divide M _i into four n / 2-bit blocks m ₁ , m ₂ , m ₃ , m ₄ .

M _i = m ₁ ∥m ₂ ∥m ₃ ∥m ₄ .

c)

H_i-1로 표시할 수 있다. 여기서, α(12)는 임의로 설정된 임시 변수이며, c는 운영모드의 수행 과정에 XOR되는 n비트 상수이고, B(k,M)는 2n비트 k를 키로 사용하여 n비트 메시지 M을 블록암호로 암호화한 암호문을 의미한다. 한편,

는 배타적 논리합(XOR)을 나타낸다. -Update H _i-1 , G _i-1 to H _i , G _i through the compression function f which operates as follows. First, when H _i-1 is input and passes through the first block cipher 10, α (12) is output, and α (12) is α ← B ((m ₁ ∥m ₂ ) ∥G _i-1 , H _i-1

c)

It can be displayed as _Hi-1 . Here, α (12) is a random variable that is arbitrarily set, c is an n-bit constant that is XORed during the execution of the operation mode, and B (k, M) is an n-bit message M as a block code using 2n-bit k as a key. It means encrypted cipher text. Meanwhile,

Denotes an exclusive OR.

In FIG. 2, although _Hi-1 and Gi _-1 are used as input values, an initial value of an operating mode, which is an n-bit constant, may be represented by H ₀ and G ₀ .

G_i-1로 표시할 수 있다. 여기서, β(14)도 임의로 설정된 임시 변수이다. On the other hand, when G _i-1 passes through the second block cipher 20, β (22) is output, and β (22) is β ← B ((m ₃ ∥m ₄ ) ∥H _i-1 , H _i-1 )

It can be displayed as G _i-1 . Here, β (14) is also a temporary variable arbitrarily set.

Γ 14 outputs γ ← α ^u ∥ β ^l . γ (14) is also a temporary variable. Here, α ^u represents the upper n-bit value of α of 2n bits of α. Β ¹ represents the lower n-bit value of β of 2n bits of β.

Similarly, δ (24) outputs δ ← β ^u ∥ α ^l . δ is also a temporary variable set arbitrarily.

c)

γ로 나타내어 진다. 마찬가지로, α'(32)도 암호화 과정을 설명하기 위해 임의로 설정된 임시 변수이다. On the other hand, γ 14 and δ 24 pass through the third and fourth block ciphers 30 and 40. When γ 14 passes through the third block cipher 30, α '32 is output as a result value, and α' 32 is α '← B ((m ₃ ∥ m ₁ ) ∥δ , γ

c)

It is represented by γ. Likewise, α '32 is a temporary variable set arbitrarily to explain the encryption process.

δ로 나타내어 진다. 마찬가지로, β'(42)도 암호화 과정을 설명하기 위해 임의로 설정된 임시 변수이다. When δ 24 passes through the fourth block cipher 40, β '42 is output as a result value, and β' 42 is β '← B ((m ₄ ∥ m ₂ ) ∥γ, δ)

It is represented by δ. Similarly, β '42 is a temporary variable arbitrarily set to explain the encryption process.

On the other hand, H _i (34) output as the result value is outputted by the formula of H _i ← α ' ^u ∥ β' ^l . Then, G _i 44, which is another result value output as the result value, is substituted and outputted by the formula G _i ← β ' ^u ∥ α' ^l . Here, α ' ^u represents the upper n-bit value of α' among 2n bits of α '. Β ' ¹ represents a lower n-bit value of β' in 2n bits of β '.

Perform the same round operation process as k three times. That is, when the original message M through the padding is divided into k number of bits 2n M '= M ₁ ∥M ₂ ∥ and and and ∥M _k, it performs a process in the first round to handle any of the plaintext block M _i ( 1 ≦ i ≦ k). As a result, the input value is H _i-1 ∥G _{i -1} , which is plain text, and the output value is output as H _i ∥G _i , which is a ciphertext after 3 steps (round compression function).

4. Print H _k ∥G _k as the hash value H (M) for message M. The input value of the _i- th round is H _i-1 ∥G _i-1 , and after 3 steps (round compression function), the output value is H _i ∥G _i , and the output value H _k ∥G is output through the last k rounds. _The value _k is the final output of the hash function.

Here, if the output of the hash function is m bits, a collision pair is found if there are 2 ^{m / 2} messages. In other words, the hash function proposed in the present invention is safe for collision pair attack with a probability greater than 2 ^{-m / 2} when the hash output length is m, that is, an attack amount smaller than the hash calculation of 2 ^{m / 2} . This means that there is no attack method that can detect collision pairs. Therefore, the NHM implemented in the present invention is a structure that is hard to find a collision pair with a calculation amount of 2 ⁿ or less under the assumption that the message hash output value is 2n bits and the block cipher is safe.

1 is a block diagram of a compression function design apparatus of a block cipher hash operating mode according to an embodiment of the present invention.

Figure 2 is a state diagram showing in more detail the configuration of the block cipher according to Figure 1 of the present invention.

<Brief description of symbols for the main parts of the drawings>

10, 20, 30, 40: block cipher

Claims (15)

After hashing the message length of the plaintext message M in multiples of 2n bits, setting this as M ', and hashing the block by dividing the length of M' into k 2n-bit blocks M ₁ , ..., M _k as shown below. Compression function design device of the mode, The key for encrypting the block of the upper bits of H _{i -1} and n c is an arbitrary constant of 2n-bit length of the plain text message of the 2n n-bit of each of the plain-text message bits divided by the number i M _i th plaintext message 1 block encryption means; Second block encryption means for receiving an input of G _{i -1} , which is the other one of the plain text obtained by dividing M _i by n bits, and encrypting the block with a 2n long key; Two n by replacing the upper n / 2 bits and the lower n / 2 bits of the n length result value output by the first block encryption means and the n length result value output by the second block encryption means. First substitution means for obtaining a value of a bit; Third block encryption means for encrypting any one n-bit value substituted by said first substitution means with a 2n length key; Fourth block encrypting means for block encrypting the other of the two values of n bits obtained by said first replacing means with a key of length 2n; And second substitution means for mutually replacing a result value from the third block encryption means and a result value of the fourth block encryption means. First exclusive logic means for receiving the H _{i -1} as an input at the previous stage of the first block encryption means and performing an exclusive OR with c, which is a constant of n bits; In the first block after the end of the encryption means and a second exclusive OR means for exclusive-OR operation to block the encrypted value and the H _{i -1} by the first block cipher device; Third exclusive logic means for performing an exclusive OR operation on the block encrypted value by the second block encryption means and the G _{i -1} at a subsequent stage of the second block encryption means; Fourth exclusive logical sum means for performing an exclusive logical sum operation with c on any one of two values of n bits obtained by the first substitution means after the first substitution means; A fifth logical exclusive operation of the value of the n-bit length output from the third block encryption means after the third block encryption means with any one of two values of n bits obtained by the first substitution means. Exclusive logic means; A sixth logical exclusive operation of the value of the n-bit length output from the fourth block encryption means at the subsequent stage of the fourth block encryption means with the other one of two values of n bits obtained by the first substitution means; Compression function design apparatus of a block cipher hash operating mode, characterized in that it further comprises an exclusive logic means. The method according to claim 1 or 2, The 2n-length key used in the first block encryption means divides M _i into four n / 2-bit blocks m ₁ , m ₂ , m ₃ , m _4, and m ₁ ∥m ₂ ∥G _{i- 1} is used as an encryption key, where ∥ means concatenation. Compression function designing apparatus of block cipher hash operation mode. The method according to claim 1 or 2, The 2n-length key used in the second block encryption means divides M _i into four n / 2-bit blocks m ₁ , m ₂ , m ₃ , m _4, and m ₃ ∥m ₄ ∥H _{i- 1} is used as an encryption key, where ∥ means concatenation. Compression function designing apparatus of block cipher hash operation mode. The method according to claim 1 or 2, The 2n length key used in the third block encryption means divides M _i into four n / 2 bit blocks m ₁ , m ₂ , m ₃ , m ₄ , and m ₃ ∥m ₁ and Any one of two values of n bits obtained by the first substitution means is concatenated and used as an encryption key, where ∥ means concatenation. Compression function designing apparatus for block cipher hash operation mode. The method of claim 5, The 2n-length key used in the fourth block encryption means divides M _i into four n / 2-bit blocks m ₁ , m ₂ , m ₃ , m ₄ , and m ₃ ∥m ₁ and the divided value. Combination function design apparatus of a block cipher hash operating mode, characterized in that the other one of the two values of the n-bit obtained by the first substitution means are concatenated and used as an encryption key. Compression of hash operation mode in which the message length of the plaintext message M is padded in multiples of 2n bits, and this is called M ', and the length of M' is divided into _k 2n bit blocks M ₁ ,. As a function design method, The upper bits of the plaintext message is called M _i H _{i -1,} and when the lower bit is called G _{i -1,} the H _{i -} first block encryption step of outputting the encrypted receives the α _1; A second block encryption step of receiving the G _{i -1} and outputting encrypted?; A first substitution step of replacing each of the upper n / 2 bits and the lower n / 2 bits of α in the first block encryption step and β in the second block encryption step; A third block encryption step of obtaining an encrypted α 'by inputting any one of two values obtained in the first substitution step; A fourth block encryption step of obtaining an encrypted β 'by inputting another one of two values obtained in the first substitution step; And a second substitution step of acquiring a ciphertext by substituting each of the upper n / 2 bits and the lower n / 2 bits of α 'in the third block encryption step and β' in the fourth block encryption step. Compression function design method of the block cipher hash operating mode, characterized in that. The method of claim 7, wherein Α formed in the first block encryption step is obtained by the following equation, α ← B ((m ₁ ∥m ₂ ) ∥G _{i -1} , H _{i -1}

c)

H _{i -1} Where B (k, M) denotes a ciphertext encrypted with a block cipher of n-bit message M using 2n-bit k as a key, ∥ denotes concatenation,

Is an exclusive OR, and c is an arbitrary constant of n bits, and the compression function design method of the block cipher hash operating mode. The method of claim 7, wherein Β formed in the second block encryption step is obtained by the following equation, β ← B ((m ₃ ∥m ₄ ) ∥H _{i -1} , H _{i -1} )

G _{i -1} Where B (k, M) denotes a ciphertext encrypted with a block cipher of n-bit message M using 2n-bit k as a key, ∥ denotes concatenation,

Is an exclusive OR, and c is an arbitrary constant of n bits, wherein the compression function design method of the block cipher hash operating mode. The method of claim 7, wherein Any one of the two values obtained in the first substitution step obtained by the method of γ ← α ^u ∥β ^l , The other one obtained by substituting δ ← dsβ ^u ∥α ^l , where α ^u represents the upper n-bit value of α in 2n bits of α, β ^l represents the lower n-bit value of β in 2n bits of β, β ^u represents the upper n-bit value of β of 2n bits of β, and α ^l represents the lower n-bit value of α of 2n bits of α. The method of claim 10, Α 'formed in the third block encryption step is obtained by the following equation, α '← B ((m ₃ ∥m ₁ ) ∥δ, γ

c)

γ Where B (k, M) denotes a ciphertext encrypted with a block cipher of n-bit message M using 2n-bit k as a key, ∥ denotes concatenation,

Is an exclusive OR, and c is an arbitrary constant of n bits, wherein the compression function design method of the block cipher hash operating mode. The method of claim 10, Β 'formed in the fourth block encryption step is obtained by the following equation, β '← B ((m ₄ ∥m ₂ ) ∥γ, δ)

δ Where B (k, M) denotes a ciphertext encrypted with a block cipher of n-bit message M using 2n-bit k as a key, ∥ denotes concatenation,

Is an exclusive OR, and c is an arbitrary constant of n bits, wherein the compression function design method of the block cipher hash operating mode. The method of claim 7, wherein Any one of the two values obtained in the second substitution step H _i (34) is obtained by the formula H _i ← α ' ^u ∥β' ^l , The other one G _i (44) is obtained by substituting G _i ← β ' ^u ∥α' ^l , where α ' ^u represents the upper n bits of α' of 2n bits of α ', and β' ^l is β Represents the lower n bits of β 'in 2n bits of, β' ^u represents the upper n bits of β 'in 2n bits of β', and α ' ^l represents the lower n bits of α' in 2n bits of α ' Compression function design method of block cipher hash operation mode characterized in that it represents a value. The method of claim 7, wherein Concatenating the ciphertexts obtained after the second substitution step and performing the process k times to obtain a value H _k ∥G _k , which is the final output of the hash function. Compression function design method. The method of claim 14, The obtained ciphertext H ₁ ∥G ₁ to H _k ∥G _k And concatenating all of them to complete the cipher text.

Images