Solid-state nuclear magnetic resonance: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>ZéroBot
m r2.7.1) (Robot: Adding ja:固体核磁気共鳴
 
Line 1: Line 1:
Hi there! :) My name is Jerilyn, I'm a student studying Modern Languages from Dandaleith, United Kingdom.<br><br>Also visit my blog; FIFA 15 coin hack ([http://www.hunkaryemekcim.com/secure/index.php/sutculer/ziyaretci-defteri?35%FFFifa+14+game+hack%FFexternal+nofollow%FFThe+Sims+4+Crack+Download%FFnofollow%FFThe+Sims+4+Crack+Download%FFnofollow please click the up coming website page])
{{about|a cryptographic authentication code|the athletic organization|Upper Midwest Athletic Conference}}
In [[cryptography]], a '''message authentication code based on universal hashing''', or '''UMAC''', is a type of [[message authentication code]] (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used.  As with any MAC, it may be used to simultaneously verify both the ''[[data integrity]]'' and the ''authenticity'' of a [[message]].  UMAC is specified in RFC 4418, it has provable cryptographic strength and is usually a lot less computationally intensive than other MACs.
 
==Universal hashing==
Let's say the hash function is chosen from a class of hash functions H, which maps messages into D, the set of possible message digests. This class is called [[Universal hashing|universal]] if, for any distinct pair of messages, there are at most |H|/|D| functions that map them to the same member of D.
 
This means that if an attacker wants to replace one message with another and, from his point of view the hash function was chosen completely randomly, the probability that the UMAC will not detect his modification is at most 1/|D|.
 
But this definition is not strong enough &mdash; if the possible messages are 0 and 1, D={0,1} and H consists of the identity operation and ''not'', H is universal. But even if the digest is encrypted by modular addition, the attacker can change the message and the digest at the same time and the receiver wouldn't know the difference.
 
==Strongly universal hashing==
A class of hash functions H that is good to use will make it difficult for an attacker to guess the correct digest ''d'' of a fake message ''f'' after intercepting one message ''a'' with digest ''c''. In other words
 
:<math>\Pr_{h \in H}[h(f)=d|h(a)=c]\,</math>
 
needs to be very small, preferably 1/|''D''|.
<!-- Say the combination of the hash function and the encryption function is chosen from a class M.
We must require that for any two distinct messages ''a'' and ''b'' and two (possibly equal) digests ''c'' and ''d'', the number of members of M that map ''a'' to ''c'' and ''b'' to ''d'' must of the order |M|/|D|. -->
 
It is easy to construct a class of hash functions when ''D'' is [[Finite field|field]]. For example if |''D''| is [[Prime number|prime]], all the operations are taken [[modular arithmetic|modulo]] |''D''|. The message ''a'' is then encoded as an ''n''-dimensional vector over ''D'' (''a''<sub>1</sub>, ''a''<sub>2</sub>, ..., ''a''<sub>''n''</sub>).  ''H'' then has |''D''|<sup>''n''+1</sup> members, each corresponding to an (''n''&nbsp;+&nbsp;1)-dimensional vector over ''D'' (''h''<sub>0</sub>, ''h''<sub>1</sub>, ..., ''h''<sub>''n''</sub>). If we let
 
: <math>h(a)=h_0+\sum_{i=1}^n h_ia_i\,</math>
 
we can use the rules of probabilities and combinatorics to prove that
 
:<math>\Pr_{h \in H}[h(f)=d|h(a)=c]={1 \over |D|}</math>
 
If we properly encrypt all the digests (e.g. with a [[one-time pad]]), an attacker cannot learn anything from them and the same hash function can be used for all communication between the two parties. This may not be true for [[Block cipher mode of operation|ECB]] encryption because it may be quite likely that two messages produce the same hash value. Then some kind of [[initialization vector]] should be used, which is often called the [[cryptographic nonce|nonce]]. It has become common practice to set ''h''<sub>0</sub> = ''f''(nonce), where ''f'' is also secret.
 
Notice that having massive amounts of computer power does not help the attacker at all. If the recipient limits the amount of forgeries it accepts (by sleeping whenever it detects one), |''D''| can be 2<sup>32</sup> or smaller.
 
==Example==
The following [[C (programming language)|C]] function generates a 24 bit UMAC. It assumes that <code>secret</code> is a multiple of 24 bits, <code>msg</code> is not longer than <code>secret</code> and <code>result</code> already contains the 24 secret bits e.g. f(nonce). nonce does not need to be contained in <code>msg</code>.
 
<source lang="c">
  #define uchar unsigned char
 
  void UHash24 (uchar *msg, uchar *secret, int len, uchar *result)
  {
    uchar r1 = 0, r2 = 0, r3 = 0, s1, s2, s3, byteCnt = 0, bitCnt, byte;
   
    while (len-- > 0) {   
      if (byteCnt-- == 0) {
        s1 = *secret++;
        s2 = *secret++;
        s3 = *secret++;
        byteCnt = 2; 
      }           
      byte = *msg++;
      for (bitCnt = 0; bitCnt < 8; bitCnt++) {
        if (byte & 1) { /* msg not divisible by x */
          r1 ^= s1; /* so add s * 1 */                               
          r2 ^= s2;
          r3 ^= s3;       
        }
        byte >>= 1; /* divide message by x */
        if (s3 & 0x80) { /* and multiply secret with x, subtracting
            the polynomial when necessary to keep its order under 24 */
          s3 <<= 1;
          if (s2 & 0x80) s3 |= 1;
          s2 <<= 1;
          if (s1 & 0x80) s2 |= 1;
          s1 <<= 1;
       
          s1 ^= 0x1B; /* x^24 + x^4 + x^3 + x + 1 */
        }
        else {
          s3 <<= 1;
          if (s2 & 0x80) s3 |= 1;
          s2 <<= 1;
          if (s1 & 0x80) s2 |= 1;
          s1 <<= 1;
        }
      } /* for each bit in the message */
    } /* for each byte in the message */
    *result++ ^= r1;
    *result++ ^= r2;
    *result++ ^= r3;
  }
</source>
 
==See also==
* [[Poly1305-AES]] is another fast MAC based on strongly universal hashing and [[Advanced Encryption Standard|AES]].
 
==References==
* [http://fastcrypto.org/umac/ UMAC] has been approved by the [[IETF]] as an informational RFC. It's fast and based on [[Advanced Encryption Standard|AES]].
* [http://tools.ietf.org/html/draft-miller-secsh-umac-01 A draft specification] to use UMAC in the [[Secure Shell|SSH]] protocols has been implemented by [[OpenSSH]].
 
{{Cryptography navbox | hash}}
 
[[Category:Message authentication codes]]

Revision as of 17:11, 15 August 2013

29 yr old Orthopaedic Surgeon Grippo from Saint-Paul, spends time with interests including model railways, top property developers in singapore developers in singapore and dolls. Finished a cruise ship experience that included passing by Runic Stones and Church. In cryptography, a message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. The resulting digest or fingerprint is then encrypted to hide the identity of the hash function used. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message. UMAC is specified in RFC 4418, it has provable cryptographic strength and is usually a lot less computationally intensive than other MACs.

Universal hashing

Let's say the hash function is chosen from a class of hash functions H, which maps messages into D, the set of possible message digests. This class is called universal if, for any distinct pair of messages, there are at most |H|/|D| functions that map them to the same member of D.

This means that if an attacker wants to replace one message with another and, from his point of view the hash function was chosen completely randomly, the probability that the UMAC will not detect his modification is at most 1/|D|.

But this definition is not strong enough — if the possible messages are 0 and 1, D={0,1} and H consists of the identity operation and not, H is universal. But even if the digest is encrypted by modular addition, the attacker can change the message and the digest at the same time and the receiver wouldn't know the difference.

Strongly universal hashing

A class of hash functions H that is good to use will make it difficult for an attacker to guess the correct digest d of a fake message f after intercepting one message a with digest c. In other words

PrhH[h(f)=d|h(a)=c]

needs to be very small, preferably 1/|D|.

It is easy to construct a class of hash functions when D is field. For example if |D| is prime, all the operations are taken modulo |D|. The message a is then encoded as an n-dimensional vector over D (a1, a2, ..., an). H then has |D|n+1 members, each corresponding to an (n + 1)-dimensional vector over D (h0, h1, ..., hn). If we let

h(a)=h0+i=1nhiai

we can use the rules of probabilities and combinatorics to prove that

PrhH[h(f)=d|h(a)=c]=1|D|

If we properly encrypt all the digests (e.g. with a one-time pad), an attacker cannot learn anything from them and the same hash function can be used for all communication between the two parties. This may not be true for ECB encryption because it may be quite likely that two messages produce the same hash value. Then some kind of initialization vector should be used, which is often called the nonce. It has become common practice to set h0 = f(nonce), where f is also secret.

Notice that having massive amounts of computer power does not help the attacker at all. If the recipient limits the amount of forgeries it accepts (by sleeping whenever it detects one), |D| can be 232 or smaller.

Example

The following C function generates a 24 bit UMAC. It assumes that secret is a multiple of 24 bits, msg is not longer than secret and result already contains the 24 secret bits e.g. f(nonce). nonce does not need to be contained in msg.

  #define uchar unsigned char
  
  void UHash24 (uchar *msg, uchar *secret, int len, uchar *result)
  {
    uchar r1 = 0, r2 = 0, r3 = 0, s1, s2, s3, byteCnt = 0, bitCnt, byte;
     
    while (len-- > 0) {    
      if (byteCnt-- == 0) {
        s1 = *secret++;
        s2 = *secret++;
        s3 = *secret++;
        byteCnt = 2;   
      }             
      byte = *msg++;
      for (bitCnt = 0; bitCnt < 8; bitCnt++) {
        if (byte & 1) { /* msg not divisible by x */
          r1 ^= s1; /* so add s * 1 */                                 
          r2 ^= s2;
          r3 ^= s3;        
        }
        byte >>= 1; /* divide message by x */
        if (s3 & 0x80) { /* and multiply secret with x, subtracting
            the polynomial when necessary to keep its order under 24 */
          s3 <<= 1;
          if (s2 & 0x80) s3 |= 1;
          s2 <<= 1;
          if (s1 & 0x80) s2 |= 1;
          s1 <<= 1;
        
          s1 ^= 0x1B; /* x^24 + x^4 + x^3 + x + 1 */
        }
        else {
          s3 <<= 1;
          if (s2 & 0x80) s3 |= 1;
          s2 <<= 1;
          if (s1 & 0x80) s2 |= 1;
          s1 <<= 1;
        }
      } /* for each bit in the message */
    } /* for each byte in the message */ 
    *result++ ^= r1;
    *result++ ^= r2;
    *result++ ^= r3;
  }

See also

  • Poly1305-AES is another fast MAC based on strongly universal hashing and AES.

References

Template:Cryptography navbox