Note 1
Here is what happens if the hash function is not one way. The example is
shows for a message with a secret value. And it indicates how this secret
value is cracked.
1. The attacker can intercept and obtain the message M
2. The attacker can also obtain the hash code C  H (S AB || M )
3. Then the attacker will invert the hash function to obtain
S AB || M  H 1 (C )
4. Since the attacker now knows both the message and message+hash, it
is trivial to discover the message.
5. Of course the above can be done only if the message is not previously
encrypted.
Note 2
Here is the reasoning behind this.
1. If plaintext is sent with the encrypted hash code. When the message is
picked up we do the following.
2. What we need to do is to get a new message that yield the same hash
code.
3. Prepare the desired altered message.
4. Then append a n-bit block that forces the new message plus the block
to yield the desired hash code.
5. This can be done because of the lossy property of the hash code or in
other words the many-to-one mapping of the hash code.
Note 3
Explanation of stages in SHA-1
Step 1: Appending padding bits
1. The message is padded so that the length is 448 MOD 512; 64 bits less
than a multiple of 512. Since the message is always padded we note the
following
a. If the message is size is exactly a multiple of 512 the padding is
512 bits.
b. For all other cases the padding is 1 to 512 bits long.
2. The padding is a single 1-bit followed by zeros
Step 2: Appending length
1. A block of 64-bits indicating the length if the message before padding is
attached at the end.
2. Inclusion of the length makes it difficult to tamper with the message.
Step 3: Initialize MD buffer
1. A 160-it buffer is used to hold the intermediate and final results of the
hash function.
2. It can be represented as a five 32 bit registers A,B,C,D,E which are
initialized to A=67452301, B=EFCDAB89, C=98BADCFE,
D=10325476, E=C3D2E1F0.
Step 4: Process message in 512-bit blocks
1. This is done using the compression function which has four rounds of
processing with 20 steps each.
2. Each round uses a different function
3. At each round the 160-bit buffer is updated with a new value. The initial
value is ABCDE.
Step 5: Output
1. After all L 512-bit blocks are processed the final output is the 160-bit
MD.
Note 4
If weak collision resistance is not guaranteed then an attacker can follow the
following sequence to forge a message
1. Intercept a message plus its encrypted hash code.
2. Generate an unencrypted hash code from the message.
3. Find another message with the same hash code.
Tutorial Solution
6.1 a. If the IVs are kept secret, the 3-loop case has more bits to be determined
and is therefore more secure than 1-loop for brute force attacks. b. For software
implementations, the performance is equivalent for most measurements. Oneloop has two fewer XORs per block. three-loop might benefit from the ability to do
a large set of blocks with a single key before switching. The performance
difference from choice of mode can be expected to be smaller than the
differences induced by normal variation in programming style.
For hardware implementations, three-loop is three times faster than one-loop,
because of pipelining. That is: Let P i be the stream of input plaintext blocks, X i
the output of the first DES, Y i the output of the second DES and C i the output
of the final DES and therefore the whole system's ciphertext.
In the 1-loop case, we have:
X i = DES( XOR( P i , C i-1 ) )
Y i = DES( X i )
C i = DES( Y i )
[where C 0 is the single IV]
If P 1 is presented at t=0 (where time is measured in units of DES operations), X 1
will be available at t=1, Y 1 at t=2 and C 1 at t=3. At t=1, the first DES is free to
do more work, but that work will be:
X 2 = DES( XOR( P 2 , C 1 ) )
but C 1 is not available until t=3, therefore X2 can not be available until t=4, Y 2 at
t=5 and C 2 at t=6.
In the 3-loop case, we have:
X i = DES( XOR( P i , X i-1 ) )
Y i = DES( XOR( X i , Y i-1 } ) )
C i = DES( XOR( Y i , C i-1 ) )
[where X 0 , Y 0 and C 0 are three independent IVs]
If P 1 is presented at t=0, X1 is available at t=1. Both X 2 and Y 1 are available at
t=4. X 3 , Y 2 and C 1 are available at t=3. X 4 , Y 3 and C 2 are available at t=4.
Therefore, a new ciphertext block is produced every 1 tick, as opposed to every 3
ticks in the single-loop case. This gives the three-loop construct a throughput
three times greater than the one-loop construct.