4

What does "congruent to 448, modulo 512" mean within the MD5 hash specifications?

From the specification:

The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Aamir
  • 73
  • 1
  • 5

1 Answers1

6

When we talk about a number $x$ being "congruent to 448 modulo 512", what we mean is that $x$ modulo 512 and 448 modulo 512 is the same number; since 448 is less than 512, this is equivalent to $x \bmod 512 = 448$

So, how the padding in MD5 works is "first you append a 1 bit (this part isn't mentioned in the above quote, but it's a necessary step), and then you keep on appending 0 bits until the total length of the message (mod 512) is exactly 448 (and then you append the 64 bit length of the unpadded message, in little endian order).

And, if you are only in hashing messages that are integral number of bytes (e.g. you don't care about the hash of a 123 bit message), then the equivalent procedure is "append an 0x80 byte, then then keep on appending 0x00 bytes until the total length of the message in bytes mod 64) is exactly 56 (and then you append the 8 byte length of the unpadded message).

Note that, in both cases, if the message after appending the 1 bit/0x80 byte is exactly 448/56, then you don't append any 0 bits/bytes.

Also, the SHA-1 and SHA-256 hash both use the same padding method (except that the byte length is in bigendian order)

poncho
  • 147,019
  • 11
  • 229
  • 360
  • ... which makes it doubly annoying that SHA-3 is all little endian again instead of network byte order. I generally call this padding "bit padding", I'm not sure if there is a more formal name (outside ISO 9797 padding method 2, which doesn't roll easily off the tongue). Colleagues sometimes call it ISO padding, but that's definitely not a good name. – Maarten Bodewes Nov 12 '16 at 11:39
  • @MaartenBodewes Don't you like it when you have a big-endian protocol embedded inside a little-endian protocol itself embedded into another big-endian protocol? :) – Thomas Nov 12 '16 at 12:17
  • In the middle paragraph, I think you mean an integer number of bytes. Surely padding by a 0x80 and zeroes works with data of an odd number of bytes too. – ilkkachu Nov 12 '16 at 13:31
  • @ilkkachu: your correct, an "even number of bytes" is a bit ambiguous (does it mean a set of bits that fit into an integral number of bytes exactly, or does it mean 2, 4, 6, 8, etc bytes), and I did worry about it when writing it (but I couldn't think of anything which was unambiguous, but still clear). I updated the text with your suggestion. – poncho Nov 12 '16 at 19:15