The present invention relates, in general, to cryptography and, in particular, to block/data stream enciphering.
An n-bit hash function produces an n-bit hash value from an input of arbitrary length. An n-bit cryptographic hash function is a one-way n-bit hash function that is collision-resistant. A one-way cryptographic hash function is one that requires 2^n hash computations to be performed before an input is found that produces a given hash value from a given hash function. Collision-resistance indicates that about 2^(n/2) hash computations must be performed before two different inputs are found that produce the same have value. The collision-resistance factor is taken as the amount of security provided by the hash function.
Presently, the only one-way cryptographic hash function approved by the National Institute of Standards and Technology (NIST) is SHA-1 which is disclosed in Federal Information Processing Standards Publication 180-1 (FIPS PUB 180-1), entitled xe2x80x9cSecure Hash Standard.xe2x80x9d FIPS PUB 180-1 is hereby incorporated by reference into the specification of the present invention.
SHA-1 produces a 160-bit hash value with a corresponding collision resistance of 2^(160/2), whereas MD4 and MD5 each produce a 128-bit hash value with a corresponding collision resistance of 2^(128/2).
NIST requires a one-way cryptographic hash function with 128, 192, and 256 bits of security to go along with three versions of its proposed Advanced Encryption Standard (AES). The present invention is in response to this requirement.
U.S. Pat. No. 5,606,616, entitled xe2x80x9cCRYPTOGRAPHIC APPARATUS WITH DOUBLE FEEDFORWARD HASH FUNCTION,xe2x80x9d discloses, amongst other things, a device that uses a 64-bit DES algorithm to produce a hash value. Since the hash value is, effectively, 56 bits long, the cryptographic strength of this hash function is no more than 2^(56/2). This hash function is not adequate for use with AES and does not disclose the one-way cryptographic hash function of the present invention. U.S. Pat. No. 5,606,616 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 5,892,829, entitled xe2x80x9cMETHOD AND APPARATUS FOR GENERATING SECURE HASH FUNCTIONS,xe2x80x9d discloses a device for and a method of dividing a string to be hashed into a number of blocks and hashing each block along with another value using an existing hash algorithm such as MD4, MD5, SHA-1, or DES. U.S. Pat. No. 5,892,829 provides no more security than the hash function employed therein, none of which are suitable for use in AES. Furthermore, U.S. Pat. No. 5,892,829 does not disclose the one-way cryptographic hash function of the present invention. U.S. Pat. No. 5,892,829 is hereby incorporated by reference into the specification of the present invention.
U.S. Pat. No. 6,021,201, entitled xe2x80x9cMETHOD AND APPARATUS FOR INTEGRATED CIPHERING AND HASHING,xe2x80x9d discloses a device for and method of performing ciphering and hashing in parallel instead of in series. However, U.S. Pat. No. 6,021,201 uses existing hash functions for its hash function such as MD5 and SHA (now known as SHA-1) and does not disclose a new hash function as does the present invention. U.S. Pat. No. 6,021,201 is hereby incorporated by reference into the specification of the present invention.
It is an object of the present invention to hash a value in a one-way cryptographic manner.
It is another object of the present invention to hash a value in a manner that meets the security requirements of AES and is more secure than MD5 and SHA-1.
The present invention is a method of generating a hash value, or message digest, for a message. The first step is padding the message for which a hash value is desired so that the padded message has a bit length of 512m, where m is a user-definable positive integer. If m=1, the hash value generated is 256 bits. If m=2, the hash value is 512 bits.
The second step of the method is parsing the result of the first step into 16 32m-bit blocks Mi.
The third step of the method is generating j values Wj from the parsed message of the second step.
The fourth step of the method is initializing eight blocks a, b, c, d, e, f, g, and h with user-definable values H1, H2, H3, H4, H5, H6, H7, and H8, respectively, where H1-H8 collectively represent the initial value for the hash value.
The fifth step of the method is converting the contents of a, b, c, d, e, f, g, and h.
The sixth step of the method is computing values that make up the hash value.
The seventh, and last, step of the method is either accepting a portion of the contents of H1(j)-H8(j) as the hash value of the message or returning to the fifth step for another step of the second shift register.
The device of the present invention includes a user-definable number of registers, a first mod 2n adder, a first nonlinear function block, a second nonlinear function block, a first shift function block, a second shift function block, a second mod 2n adder, a third mod 2n adder, a fourth mod 2n adder, a fifth mod 2n adder, a sixth mod 2n adder, and an accumulator.
The device may also include a message-scheduler device that includes a user-definable number of registers, a third shift function block, a fourth shift function block, a seventh mod 2n adder, an eighth mod 2n adder, and a ninth mod 2n adder.
The device of the present invention includes n 32m-bit blocks as a first shift register; a first function block "sgr"0(x); a second function block "sgr"1(x); a first logic block; a second logic block; a third logic block; a fourth logic block; p 32m-bit blocks connected as a second shift register; an accumulator; a third function block xcexa30(x); a fourth function block xcexa31(x); a fifth function block Maj(x); a sixth function block Ch (x); a sixth logic block; a seventh logic block; an eighth logic block; and a ninth logic block.