MASH-1

Despite many proposals, few hash functions based on modular arithmetic have withstood attack, and most that have tend to be relatively inefficient. MASH-1 evolved from a long line of related proposals successively broken and repaired.

Committee Draft ISO/IEC 10118-4 (Nov 95)

MASH-1 involves use of an RSA-like modulus $N$, whose bitlength affects the security. $N$ is a product of two prime numbers and should be difficult to factor, and for $N$ of unknown factorization, the security is based in part on the difficulty of extracting modular roots.

Let $L$ be the length of a message block in bit. $N$ is chosen to have a binary representation a few bits longer than $L$, typically .

The message is padded by appending the message length and is separated into blocks $D\_1,\; \backslash cdots,\; D\_q$ of length $L/2$. From each of these blocks $D\_i$, an enlarged block $B\_i$ of length $L$ is created by placing four bits from $D\_i$ in the lower half of each byte and four bits of value 1 in the higher half. These blocks are processed iteratively by a compression function:

:$H\_0\; =\; IV$

:$H\_i\; =\; f(B\_i,\; H\_\{i-1\})\; =\; ((((B\_i\; \backslash oplus\; H\_\{i-1\})\; \backslash vee\; E)^e\; \backslash bmod\; N)\; \backslash bmod\; 2^L)\; \backslash oplus\; H\_\{i-1\};\; \backslash quad\; i=1,\backslash cdots,q$

Where $E=15\; \backslash cdot\; 2^\{L-4\}$ and $e=2$. $\backslash vee$ denotes the bitwise OR and $\backslash oplus$ the bitwise XOR.

From $H\_q$ are now calculated more data blocks $D\_\{q+1\},\backslash cdots,D\_\{q+8\}$ by linear operations (where $\backslash |$ denotes concatenation):

:$H\_q\; =\; Y\_1\; \backslash ,\backslash |\backslash ,\; Y\_3\; \backslash ,\backslash |\backslash ,\; Y\_0\; \backslash ,\backslash |\backslash ,\; Y\_2;\; \backslash quad\; |Y\_i|\; =\; L/4$

:$Y\_i\; =\; Y\_\{i-1\}\; \backslash oplus\; Y\_\{i-4\};\; \backslash quad\; i=4,\backslash cdots,15$

:$D\_\{q+i\}\; =\; Y\_\{2i-2\}\; \backslash ,\backslash |\backslash ,\; Y\_\{2i-1\};\; \backslash quad\; i=1,\backslash cdots,8$

These data blocks are now enlarged to $B\_\{q+1\},\backslash cdots,B\_\{q+8\}$ like above, and with these the compression process continues with eight more steps:

:$H\_i\; =\; f(B\_i,\; H\_\{i-1\});\; \backslash quad\; i=q+1,\backslash cdots,q+8$

Finally the hash value is $H\_\{q+8\}\; \backslash bmod\; p$, where $p$ is a prime number with .[https://eprint.iacr.org/2013/589.pdf Smashing MASH-1, Vladimir Antipkin]

There is a newer version of the algorithm called MASH-2 with a different exponent. The original $e=2$ is replaced by $e=2^8+1$. This is the only difference between these versions.

{{Reflist}}

• A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, {{ISBN|0-8493-8523-7}}

{{cryptography navbox|hash}}

Category:Cryptographic hash functions