We provide a utility program, md6sum, that is similar to the traditional md5sum in functionality, but which is augmented for our experimental and development purposes. This section describes its usage.
The basic command-line format for md6sum is: md6sum [OPTIONS] file1 file2 ...
The option letters are case-sensitive and are processed in order.
With no options, the files are each hashed. For each file, a summary line is printed giving the hash value in hex and the file name. The defaults are: digest size d is 256 bits, mode parameter L is 64, and key is nil (zero-length key). An initial date/time line is also printed (on a “comment line” starting with “--”).
CHAPTER 8. APPLICATIONS AND COMPATIBILITY 177
The “b” and “B” options provide the ability to process a standard dummy file of a specified length. The “b” option specifies the desired length in bits, while the “B” specifies the desired length in bytes. The dummy file is an initial prefix of the specified length of the infinite hexadecimal sequence:
11 22 33 44 55 66 77 11 22 33 44 55 66 77 11 22 ...
The length may be given in decimal or in scientific notation. Thus the following two commands are equivalent, and ask for the hash of a standard one-gigabyte dummy file:
md6sum -B1000000000 md6sum -B1e9
The “b” and “B” options are useful for getting MD6 timing estimates, as they do not involve disk I/O overhead.
The “M” option is used to specify a message directly on the command line, as in:
md6sum -Mabc
which prints the hash of the message string “abc”. (If the message contains blanks, the message parameter should be quoted, as in md6sum "-Ma b c" .)
If file is ‘-’, or if no files are given, standard input is used.
The “d”, “r”, “L”, and “K” options are used to set MD6 parameters to non- default values. The defaults are a digest size of d = 256 bits, a number of rounds r = 40 + (d/4), a mode parameters L = 64, and an empty key K = nil. For example, the command
md6sum -d512 -Ksecret -r200 -L0 file1 file2
produces 512-bit hash values for files file1 and file2 computed using r = 200 rounds in sequential mode (L = 0) with a key K =“secret”. The “d” and “K” options reset r to its default value for that digest size and key length, so if the “r” option is also given, it should follow any “d” and “K” options.
There are two options for performing timing measurements on MD6: “t” and “s”.
The “t” option turns on the printing of timing information for each file (or dummy file) processed. The following information is printed for each file: length of the input file, the number of compression calls made, the elapsed time in seconds, the total number of clock ticks, the number of clock ticks per byte, and the number of clock ticks per compression function call. For example, the call
md6sum -t -B1e9
produces timing information for producing the MD6 hash of a standard one- gigabyte dummy file.
The “s” operation times the MD6 setup operation. Specifically, the option -snnn produces the time to perform nnn setup operations. For example,
md6sum -s1000000
measures the time to do one million MD6 initializations. The time is given both in clock ticks and in seconds.
Timing is measured in a straightforward way using the CPU’s RDTSC in- struction; no special effort is made to account for variability in the timing that might be caused by extraneous system effects. (Our experience suggests that these effects are not large when MD6 is applied to a large test input generated with the -b or -B options, on an otherwise idle machine.)
The “i” and “I” options cause intermediate values in the MD6 computation to be printed. The “i” option causes the input and output for each compression function call to printed in a pretty format. For example,
md6sum -i -Mabc
causes the compression function input/output to be printed for the single com- pression function call required to hash the message “abc”. That is, the array values A[0..n − 1] (input) and A[rc + n − c..rc + n − 1] (output) will be printed, one word per line. The “I” option is similar, but also prints out the interme- diate values for each MD6 compression function call. That is, the entire array A[0..rc + n − 1] will be printed. As an example, the call
md6sum -I -B20
will print out all intermediate values for the single compression call required to hash the standard twenty-byte dummy file.
The md6sum program can also be used with the “c” to check to see if a hash value for any of the given files has changed. If one saves the md6sum output, as in:
md6sum -d512 -L0 file1 file2 file3 >filehashes
(shown here with 512-bit hash values computed in sequential L = 0 mode) then a later call of the form:
md6sum -c filehashes
will check to see if any of the files now have hash values different than that recorded in the file filehashes. Any file whose hash value has changed will have its name printed out. (Comment lines in the saved file, such as the date/time line, are ignored.)
Chapter 9
Variations and Flexibility
The MD6 design exhibits great flexibility. It is easy to create “variant” designs by changing the word size, the size of a chunk, the key size, the size of Q, the number of rounds, etc.
9.1
Naming
We extend here the simple naming scheme given in Section 2.2.7.
If the other parameters keylen, L, or r are to receive non-default values, they can be given following the name, separated by hyphens, in the order keylen, L, r, with each parameter name followed immediately by its value (but using k to stand for keylen) as in the following examples:
MD6-256-L0 (sequential mode of operation)
MD6-256-r64 (64 rounds)
MD6-160-L0-r64 (sequential and 64 rounds)
MD6-384-k8-r64 (8 key bytes and 64 rounds)
MD6-512-k33-L2-r192 (33 key bytes, height bound 2, and 192 rounds) In the last example, the key length is specified as 33 bytes; the key itself would
be provided separately. Unspecified options receive their default values. In fully-specified notation, the standard versions of MD6 are:
MD6-224-k0-L64-r80 (224-bit digest, no key, tree-based, 80 rounds) MD6-256-k0-L64-r104 (256-bit digest, no key, tree-based, 104 rounds) MD6-384-k0-L64-r136 (384-bit digest, no key, tree-based, 136 rounds) MD6-512-k0-L64-r168 (512-bit digest, no key, tree-based, 168 rounds) But these default versions are also named MD6-224, MD6-256, MD6-384, and
MD6-512.