MASH-1 explained

For a cryptographic hash function (a mathematical algorithm), a MASH-1 (Modular Arithmetic Secure Hash) is a hash function based on modular arithmetic.

History

Despite many proposals, few hash functions based on modular arithmetic have withstood attack, and most that have tend to be relatively inefficient. MASH-1 evolved from a long line of related proposals successively broken and repaired.

Standard

Committee Draft ISO/IEC 10118-4 (Nov 95)

Description

MASH-1 involves use of an RSA-like modulus

, whose bitlength affects the security.

is a product of two prime numbers and should be difficult to factor, and for

of unknown factorization, the security is based in part on the difficulty of extracting modular roots.

Let

be the length of a message block in bit.

is chosen to have a binary representation a few bits longer than

, typically

L<|N|\leqL+16

The message is padded by appending the message length and is separated into blocks

D_1, … ,D_q

of length

L/2

. From each of these blocks

D_i

, an enlarged block

B_i

of length

is created by placing four bits from

D_i

in the lower half of each byte and four bits of value 1 in the higher half. These blocks are processed iteratively by a compression function:

H₀=IV

H_i=f(B_i,H_i-1)=((((B_i ⊕ H_i-1)\veeE)^e\bmodN)\bmod2^L) ⊕ H_i-1; i=1, … ,q

Where

E=15 ⋅ 2^L-4

and

e=2

\vee

denotes the bitwise OR and

⊕

the bitwise XOR.

From

H_q

are now calculated more data blocks

D_q+1, … ,D_q+8

by linear operations (where

denotes concatenation):

H_q=Y₁\|Y₃\|Y₀\|Y_2; |Y_i|=L/4

Y_i=Y_i-1 ⊕ Y_i-4; i=4, … ,15

D_q+i=Y_2i-2\|Y_2i-1; i=1, … ,8

These data blocks are now enlarged to

B_q+1, … ,B_q+8

like above, and with these the compression process continues with eight more steps:

H_i=f(B_i,H_i-1); i=q+1, … ,q+8

Finally the hash value is

H_q+8\bmodp

, where

is a prime number with

7 ⋅ 2^L/2-3<p<2^L/2

.^[1]

MASH-2

There is a newer version of the algorithm called MASH-2 with a different exponent. The original

e=2

is replaced by

e=2⁸⁺¹

. This is the only difference between these versions.

References

A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography,

Notes and References

https://eprint.iacr.org/2013/589.pdf Smashing MASH-1, Vladimir Antipkin