1 / 26

GROESTL HASH FUNCTION

GROESTL HASH FUNCTION. Presented by : Kouajiep Ngongang Landry/ Student ID: 6912095 /email: kanel_landry@yahoo.fr Madhu / Student ID: 9793569/ email:m_gongat@encs.concordia.ca Esaq Ahmed/ Student ID: 9702849 /email: daybright2003@gmail.com

yaphet
Download Presentation

GROESTL HASH FUNCTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GROESTL HASHFUNCTION Presented by : KouajiepNgongang Landry/ Student ID: 6912095 /email: kanel_landry@yahoo.fr Madhu / Student ID: 9793569/email:m_gongat@encs.concordia.ca Esaq Ahmed/ Student ID: 9702849 /email:daybright2003@gmail.com Version 1.1 – made for the INSE 6110 course project Concordia University Institute of Information Systems Engineering Montreal, Canada November 2010 {Candidate to the AES competition for the SHA-3 standard }

  2. { { Encrytion method Infobox (Header) |name=Groestl (General) |designers=Soren Steffen Thomsen, Martin Schlaffer Christian Rechberger Florian Mendel KrystianMatusiewice Lars R. Knudsen Praveen Gauravaram | publish date = July 2009 | series= SHA-3 candidate | derived from = AES | related to = AES (via the permutation and the S-BOX) | certification= second round candidate of the SHA-3 competition } }

  3. 1 Message M to hash M 2 f f f Groestl(M) F := compression function := truncation function NOTE: Before we go ahead, remember that Groestl operates on bytes.So we will use the byte notation

  4. Groestl:High Level description Message= M, /*initialization of message blocks and the initial value*/ int l; /*message block length*/ If is_multiple_of_l(sizeof(M)) continue; else M=pad(M); block m[t]=Divide(M) block IV block h1=f(m[1],IV) /*computing Groestl(M)*/ for r = 2 to t hr=f(m[r],hr-1) Endfor Groestl(M)=(ht)

  5. Detailed view of Groestl Hash function

  6. CONTENTS A - Design of A - 1 Design of and A - 2 The four transformations of and A - 2.1 AddRound Constant_ A - 2.2 SubBytes A - 2.3 ShiftBytes/ShiftBytesWide A - 2.4 MixBytes B - Design of C - Padding

  7. A - Design of Built from 2 different fixed permutations P and Q, Iterated t times , where t is the number of block messages The original message M is divided into blocks of equal size , depending on the digest size we want (cf. Fig. 3 for details) Fig.1 : Detailed view of the Groestl compression part

  8. comes into 2 variants: -one is used for short messages digest and indexed 512 -one is used for long messages digest and indexed 1024 Each variant uses its own pair of permutations P and Q: (, ) for short (, ) for long Fig.2.a : Permutations-Block length-state size dependency Digest size 224 00 ... 00 00 e0 256 00 ... 00 01 00 384 00 ... 00 01 80 512 00 ... 00 02 00 Fig.2.b : Digest size-initial value dependency

  9. Groestl - compression function f : High Level description State = X ChainingInput=Y Q(X) Z = XY P(Z) U=Q(X)Y f(X,Y) = P(Z)U

  10. INPUT (Round1) Chaining input(initial value ) message block (initial state in ) -------------------------------- (initial state in )

  11. A - 1 Design of and - based on iterations depending on the digest size Fig.3 : Permutations-Digest size-Number of rounds dependency For each permutation and , we have the following round transformations + AddRound Constant + SubBytes + ShiftBytes (for 8*8 bytes array )/ShiftBytesWide (for 8*16 bytes array) + Mixbytes

  12. A - 2 The four transformations of and Fig. 4: Transformations of and

  13. A - 2.1 AddRoundConstant__________________________________________ • ← ⊕ • adds(exclusive-OR) a round-dependent constantto the state , where is the actual round of the permutation • is reduced modulo 256, if necessary • is specific to the permutations (for P and for Q) • All round constants bytes are zero except for a single position. L and

  14. So, in the round 1 of the transformation of , we will have: = our actual state

  15. A - 2.2 SubBytes____________________________________________________ • substitutes each byte in the state matrix by another value, taken • from the s-box S • ← , depending on the state size 2d (2d)=d8 Groestl s-box

  16. Thus, in this round 1, the SubBytesapplies to our state gives us: = our actual state

  17. A - 2.3 ShiftBytes/ShiftBytesWide_________________________________________ • each row of the block is cyclically shifted positions to the left , • for 8*8 blocks, ={0,1,2,3,4,5,6,7} • for 8*16 blocks, ={0,1,2,3,4,6,11} Hence, Row 0 cyclically shifted (0) position to the left Row 1 cyclically shifted (1) position to the left Row 2 cyclically shifted (2) positions to the left Row 3 cyclically shifted (3) positions to the left Row 4 cyclically shifted (4) positions to the left Row 5 cyclically shifted (5) positions to the left Row 6 cyclically shifted (6) positions to the left Row 7 cyclically shifted (7) positions to the left Likewise for 8*16 blocks; but now, as indicated in above, =11 instead of 7 as in 8*8 blocks

  18. A - 2.4 MixBytes______________________________________________________ • multiplies(modulo multiplication) each column of the current state by a constant 8 × 8 matrix B in ,the Rijndael’s Galois field • state← B × state • The matrix B is defined by: circ(02, 02, 03, 04, 05, 03, 05, 07) matrix B

  19. In this field, the multiplication is not the standard one.It’s a bit more complicated. We reduce the factors to polynomial and to do the multiplication mod 02 d4 Step 1: the polynomial are retrieved according to the decimal represensation d4= 1110 0100 d4 = 02= 0000 0010 02 = 7 6 5 4 3 2 1 0 binary position : Step 2: we do the multiplication mod 02 d4 = [().()] mod = mod = 111001000 mod 100011011 = 11010011 (done through long division using binary notation) = d3

  20. Groestl– permutations P and Q : High Level description State = S for i = 1 to Nr AddRoundConstant(State,CP[i] ) /*respectively AddRoundConstant(State,CQ[i] )*/ SubBytes(State, S-box) ShiftByte(State)or ShiftByteWide(State) MixBytes(State,B) Endfor P(S) = State /* respectively Q(S) = State */

  21. Number of round Nr=10 Short messages digest: () Groestl long messages digest: () • Number of round Nr=14 Groestl variants configuration

  22. B - Design of compute ⊕ and then truncates the output by returning only the last n bits Groestl(M) x 256_trunc(x)

  23. Groestl - truncation function : High Level description State = G n=digest size H=P(State) State=n_trunc(H) finalState=State

  24. C - Padding able to operate on inputs of varying length, a padding function pad is defined takes a string x of length N bits and returns a padded string x∗ = pad(x) of a length which is a multiple of . How?If x= (a1, a2,………,an,0010 00) a 495-bits message (the ai’s are in byte) 1-appends the bit ‘1’ to x x=(a1,a2,………,an,0010 001) 2- appends w = −N − 65 mod ‘0’ bits w= - 495 - 65 mod 512 = 464 so, x= (a1,a2,……….,an,0100 0010,0000 0000,……….,0000 000 ) 3- appends a 64-bit representation of p=(N + w + 65)/ p=(495+464+65)/512 = 2 This number p is an integer due to the choice of w, and it represents the number of message blocks in the final, padded message 464 ‘0’bits

  25. x 2 1 pad(x) 3

  26. Thank You…

More Related