Summary of the invention
In view of definite function gives cryptanalysis person clear and definite target, thereby affect security.Thus, the present invention's application random function designs hash function.
Notice, although hash algorithm is uncertain in the present invention,, general in the situation that, in order to reach the object of checking, when plaintext is certain, hash value should be determined, in order to address this problem, we set hash function and the probability relativity of input expressly, when input is when being expressly definite, the form of hash function is also determined, under the condition of known-plaintext, hash function determines, hash function is by expressly determining in some way.
We suppose that random hash function is D=H (m), and H is random, and m is the variable input of function, use for reference the feature of traditional deterministic hash function, in adopting the hash function of random function, expressly except determining the concrete form h of hash function
i(m) outside, also as D=h
i(m) the input m of algorithm.Determining so the plaintext part of hash function concrete form and can be correlated with as the part of parameter m input hash function, can be also independently, such as getting a part expressly, determines h
i(m), get an other part expressly as m.If two parts are independently, cryptanalysis person is easily defeated in detail, and such as first determining function, is finding suitable m; On the contrary, if two parts are associated, adopt said method invalid, because first determine after function, then find in the process of suitable m, the conversion of m also can cause the variation of function, cannot meet simultaneously.Therefore, both are just safer in associated situation, and need in the present invention their relation to design very complicatedly, make to be difficult to crack.In particular, when being exactly design, bit number how as far as possible expressly all need to be participated in to determining function form and m simultaneously, so by expressly whole in determining that both are the most suitable, the form of considering existing hash function all needs to fill, so the plaintext after filling being processed in the present invention is whole in determining hash functional form and m.
Be similar to the analysis above us, in the time of cryptanalysis, the relation of the different piece data of hash function is more independent, more easily defeats in detail; If relevance is fine, when attempting to defeat in detail, just there will be this to break up, that is ungratified situation again.Therefore, in the time of design, need to allow the association of data height, diffusion widely, in order to allow these diffusion and associated not reveal information, need again highly, avalanche effect fast.The avalanche effect here refers to the class effect in cryptography, rather than in economics.A kind of unsettled equilibrium state of avalanche effect is also a kind of feature of cryptographic algorithm, a small amount of variation that it indicates literary composition or key can cause the great changes of ciphertext, the conversion of 1bit expressly causes the change of half bit of ciphertext, and the conversion of the 1bit of same key causes the change of half bit of ciphertext.For Hash function, avalanche effect refers to that the variation of a small amount of message digit can cause that many positions of hash value change.From above angle, consider technical cryptanalysis, hash value length is longer, also can design safelyr, because will forge simultaneously, to meet the message of longer hash value more difficult.
In view of MD5, SHA-1 are cracked by Wang little Yun, and these hash functions all exist single bit bit arithmetic more, lack the operation as many bit of S box and so on, therefore, and the computing that the hash of safety should adopt S box and similar many bit to obscure.
For the structure of hash function, there is the conventional method of two classes: the method that the first kind is the most frequently used is to adopt compression function to carry out repeatedly packed compressed to data; Equations of The Second Kind is some mode producing hash value of using block cipher.Other certain methods, comprises and utilizes public key algorithm, does not obtain broad research and application.The present invention adopts the method for the first kind, adopts compression function.
Concrete hash function construction method is:
The first step, determines the message block length L that compression function is processed each time.
Second step, the mode of design filling and additional length information, message is filled, because hash need to have definite result, so, the mode of filling be fixed, for a message, can only there is only filling mode, for filling, should be able to be easy to determine the region of filling, owing to filling length itself, be uncertain, so, can adopt following two kinds of modes: the first, if message-length is not nL-f, fill 0 for first, all bit fill 1 subsequently, or contrary, adopt in this way, except message-length is just the situation of nL-f form, be easy to determine filling content, the length of filling is also determined, fill it into nL-f, if length is nL-f, do not fill, n is the smallest positive integral that meets this condition, f is a fixing value, be less than L, f remains for additional messages length in advance, its length is no more than 2 can meet the length of most message and file
f, simultaneously also not too long is standard, the second, if message-length is not nL-f, adopts above-mentioned filling mode, if message-length is nL-f form, fill in the back the message of a L length, the length after filling is (n+1) L-f, be still first and fill 0, all bit fill 1 subsequently, or contrary.According to the rule of the length of message and filling, can determine the length of filling, both should equate, can carry out verification like this, are provided with obstacle also to forgery and decoding.The mode of additional messages length is: when the binary value of the length of message surpasses f, get the f bit at end, when length is during not as good as f, additional, fill 0 above, finally through filling and additional after message become the multiple of block length L.Owing to there being two kinds of data storage methods, LITTLE-ENDIAN and BIG-ENDIAN, should choose the most suitable a kind of length that represents the message before filling according to Machine Type.
The 3rd step, the length of setting hash value, considers the attack of rainbow table and so on, unless needed especially convenient, not too needs safe occasion, length value n should be greater than 160bit.
The 4th step, determines that the initial value of hash, this (these) value determine, total length is n.The storage mode of selecting data, generally should be identical with the storage mode of message-length.
The 5th step, designs random compression function H, and compression function is the most critical part of hash function, and its input is the initial value of previous hash value or hash, hash value or final hash value in the middle of being output as.The present invention, as said discussion above, in order to reach good diffusion and chaotic effect, should adopt S box or similar many bits to replace parts.The principle of design of S box is the same with the S box design in symmetric cryptography, such as speed is fast, preferably can represent with computing (rather than tabling look-up), has reasonable avalanche effect, diffusion effect, difference uniformity, but without requiring reversibility.The S box of some Open Standard algorithms all has good effect with test by analysis, can preferentially directly use, and without consideration whether reversible (because hash functional value is just for checking, without deciphering).Random contractive function structure can consider to use for reference the building method of existing symmetric cryptography and hash function.Unique distinction is, some parts can adopt random function, such as random S box can have the figure place of a plurality of S boxes, ring shift, can be random, the computing of bit select at random XOR, with and or etc.Other various computings can adopt random function.Unless need to reach special complementation, the effect that liquidates, the randomness of all random function parts should be all to add up independently.Be that the concrete functional form selection of doing between any two or more random function parts is all incoherent.Each concrete functional form of random function generally should have relative equivalence, and can coordinate and reach good security with other parts.Alternatively, an in the end grouping is used after compression function, data to final compression are further compressed, and general is like this for very long when the Design of length of middle hash value being obtained in order to improve security, and the oversize inconvenient occasion of final hash value.
The 6th step, determines random function really delimit the organizational structure structure and the form of yard A, although itself be random according to compression function function, under concrete plaintext (message), function should be determined.The present invention determines the concrete form of this function by determining coding A.Independently the coding of random function parts adopts independent bit position, if some random function parts are correlated with, coding can combine.Random function parts correspondence really delimit the organizational structure code bit bit length be not less than log
2e, e is the number of the concrete form of these random function parts.According to the random number of components of random contractive function and corresponding number of elements thereof, there is relation.Get the required minimum number of bits of each random parts, i.e. log
2e(is integer if) or log
2e rounds and adds 1, if consider to read and convenient storage, also can get the figure place of minimum 8 multiple.Can obtain like this determining the form of the coding of random function, such as how many bit or byte are above to determine which random parts, the information of following how much length is to determine what random parts, so analogizes.Can determine the length of A like this.
The 7th step, really the delimit the organizational structure method of yard A of designing and calculating random function.Determining of random function determined by current group or first grouping.This can think to design a function f, and A=f(am), the am here represents corresponding message grouping.If design safelyr, f can also be changed into random function F, but this can sacrifice efficiency.Note, the final intercepting of A of calculating value out may have redundancy, and this can carry out delivery processing, such as, certain random function parts has 5 kinds of concrete forms, adopt 3bit to encode, they can be encoded respectively to 0,1,2,3,4,3bit is converted to after the decimal system to delivery 5.Certainly be generally preferably designed as and comprise 2
wplant concrete functional form better.
Below the computing method of the hash functional value of single grouping: according to different situations, there are two kinds of methods to determine random function, the first, be to determine random function according to first grouping, continue to use this random function later always; The second, according to current group, determine random function.First according to two kinds of situations, select respectively to input first grouping or current plaintext (message) grouping am, pass through A=f(am) calculate A, according to the data structure of A, carry out certain stage extraction, delivery processing, the coding obtaining can be determined the concrete functional form of all random function parts, like this concrete form h of hash function H
ijust determined hash value d
i=h
i(am, d
i-1).
The process of whole message generation hash value: message is filled, additional length information, then the method for Reusability epimere, using initial hash value or previous hash value as input, to each grouping, utilize random contractive function to produce one by one hash value, progressively compress each grouping until finish.
Security advantages of the present invention has: with respect to existing algorithm, be only one, the variation of input variable, its function of hash function based on random function also changes, and this variation causes the variation of the intermediate result of hash in calculating and final hash value fiercer and be difficult to analysis; Two, algorithm is determined for encrypting and decrypting both sides, but uncertain for analyst.Existing disclosed cryptanalysis method is all for definite algorithm, and function of the present invention itself is uncertain, makes cryptanalysis be difficult to set about.
Although the present invention has very large advantage from the angle of Technical analysis, but, for some, very simply attack, it is invalid such as tabling look-up, attacking, such as some present hash functions have been made into rainbow table by some hackers, one or more plaintext that all hash values is corresponding is all kept in a table, and carries out retrieval ordering, and hacker only need to search and can find collision or original plaintext like this.Therefore, the present invention still needs to improve the length of hash value, and utilizes multiple random function also more easily to increase the length of hash value.Unless be starved of the occasion of convenience at some, very long hash value is used in unpractical situation, just can use the isometric hash value of existing hash function.
Decoding for this class hash function, which concrete function what cryptanalysis person need to determine on the one hand that random function adopts in concrete hash value situation is, also to determine the input of hash on the one hand, the former is very difficult, in addition the two itself is again associated, meet more difficult simultaneously.
Embodiment
Be below the embodiment of a random hash construction of function, describe for convenience and simplicity, adopt more brief algorithm, and use for reference existing algorithm.
Below according to a random hash function of step structure:
The first step, determines the block length 512bit processing.
Second step, the mode of design filling and additional length information, fills message, fill 1 for first, thereafter position is all 0, fills it into 512n-64, if just for the form of 512n-64, fill 512bit, be equally first and fill 1, thereafter position is all that 0, n is the smallest positive integral that meets this condition, and 64bit remains for additional messages length in advance, because the scale-of-two of the length of most message is generally can not surpass 64 in reality, length is no more than 2
64.When the binary value of the length of message surpasses 64, the length of message is longer than 2
64time, get the 64bit at end, when length is not as good as 64 time, additional, fill 0 to full 64 above, finally through filling and additional after message become the multiple of block length 512.Message-length adopts the storage mode of BIG-ENDIAN.
The 3rd step, the length of setting hash value, is 160bit in order conveniently to get length value n here.
The 4th step, determines the initial value of hash, or initializaing variable, and this (these) value determines, total length is 160bit.Middle hash result and final hash value are stored in to buffer zone, and buffer zone is divided into the register of 5 32bit, is called A, B, C, D, E, initial value is A=0x01234567, B=0xAB89EFCD, C=0xDCFE98BA, D=0x10325476, E=0xC3D2E1F0.Register adopts the storage mode of BIG-ENDIAN.
The 5th step, designs random compression function H.In order to strengthen security, select S box as a safety component here.S box is safety greatly, but can cause the increase of calculated amount and storage, and S box is little dangerous, for software, realizes, and the byte of generally take will facilitate computing as unit, so choose 8bit, byte is as the input and output size of S box.Finite field gf (2
8) on multiplication inverse mapping there is good nonlinearity, difference uniformity and number of times, but due to the too simple and easy attack that suffers interpolation and so on of algebraic expression, it can be combined with an Affine arithmetic.This algorithm as random function parts, is got two S boxes by S box at random, and they all adopt inverse mapping and Affine arithmetic combination, and their difference is that the mapping relations of Affine arithmetic are different.Specifically be transformed to: 1) 8bit is transformed to GF(2
8) on multiplicative inverse, extraly, Binary Zero 0000000 is mapped as 00000000,2) to the result of inverse operation above, adopt affined transformation as follows, owing to being the random function with two kinds of concrete forms, so there are two random scale-of-two affined transformations of selecting:
Above S box is for replacing the message grouping am of 512bit, after being about to this message grouping and replacing according to random S box, and half figure place of 512bit integral left ring shift S box length then, 4bit, obtains Y
q, then to Y
qall carry out 4 and take turns processing, each is taken turns and is comprised of 20 step iteration.4 to take turns processing procedure structure the same, but basic random function used is different, is expressed as F
1, F
2, F
3, F
4.The S box dividing into groups when the message of pre-treatment replaces every being input as of taking turns and the result Y of ring shift
qwith the currency A of buffer zone, B, C, D, E, output is still placed on buffer zone to substitute A, B, and C, D, the old value of E, every each iterative process of taking turns is as shown in accompanying drawing one, and F is random function, is input as B, C, D, K
tfor addition constant, 0≤t≤79 wherein, t represents the step number of iteration.When 0≤t≤19, K
t=0x51827919; When 20≤t≤39, K
t=0x64D9EBA1; When 40≤t≤59, K
t=0x211BBC3C; When 60≤t≤79, K
t=0x6A62C1D; <<<
nrepresent bit loopy moving n position left.N because of operation different.Tian represents modulo 2
32under addition.Word W
ty
qobtain W
tbe that 32bit is long, front 16 words are (from W
0arrive successively W
15) directly get Y
q16 32bit successively, remaining word is (from W
16arrive successively W
79), W
tto be calculated by multiple random function, W
t=<<<
i[(W
t-16oPERATOR
1w
t-14) OPERATOR
2(W
t-8oPERATOR
1w
t-3)], <<<
irepresent left ring shift I position, wherein I is stochastic variable, be 10 and 18, OPERATOR be random operational symbol, OPERATOR
1concrete form be to ask inverse, OPERATOR after XOR, XOR
2concrete form be and, exclusive disjunction on the concrete form of random function, relatively to there is like this complementarity.Random function F is defined as follows table:
Table one random function F definition list
Notice, here F
2and F
4although possible concrete form is identical, they are independently to choose separately one of two concrete functions, belong to different functions.In order to simplify, the randomness of this example is still few, in specific design, can consider more randomness.
The 6th step, determine random function really delimit the organizational structure code structure.We investigate the randomness of function one by one, add that these randomnesss are independently, so can be corresponding with bit independently: the 1) function that replaces at random, random S box has two kinds of concrete forms, needs 1bit.2) random function F
1, F
2, F
3, F
4there are respectively two kinds of concrete forms, need separately 1bit, altogether 4bit.3) W
tfor multiple random function, OPERATOR
1, OPERATOR
2with I are all random factors, have two kinds of forms, need 3bit.Therefore, A needs 8bit coding, and wherein 1bit determines S box, and 0 represents first S box, and 1 represents second, and 2-5bit determines respectively random function, 0 and 1 respectively in representative table according to the concrete functional form of sequencing, 6-8bit determines W
tsolved function.
The 7th step, really the delimit the organizational structure method of yard A of designing and calculating random function.In the time of concrete structure, can adopt two kinds of methods: the first, natural form, each grouping can decide according to the message of grouping the random function of current group; The second, in order to reduce calculated amount, memory space and complexity, the random function is here definite in first grouping, and this function is continued to use in grouping subsequently always.The method of calculating A is: message am is carried out to first S box replacement above, then the 512bit message obtaining is divided into two 256bit groupings, carry out respectively left ring shift, the grouping displacement 4bit on the left side, the grouping displacement 6bit on the right, numeral after two parts displacement is carried out to XOR, obtain 256bit grouping.Then proceed the replacement of identical S box, grouping, and two parts are carried out to left ring shift 4bit and 6bit, XOR then, the circulations of the many wheels of result obtain the result of 8bit, as A, for determining the concrete form of function.So just can produce data summarization with the hash function of design.It will be very difficult that cryptanalysis person wants to decode.Even if cryptanalysis person has known former message, want to forge an identical message, say that in principle he can know the concrete form of hash function in this case, but the plaintext that he forges not only will draw the identical yard A that really delimits the organizational structure by computing method, to obtain identical hash value simultaneously, obviously be also very difficult, in the situation that not knowing expressly, he had not both known algorithm, do not know again message, the message of forging also needs to meet dual condition simultaneously, has greatly increased the difficulty of decoding.