[146569] in cryptography@c2.net mail archive
Re: [Cryptography] Hashes into Ciphers (was Re: FIPS,
daemon@ATHENA.MIT.EDU (Stephan Neuhaus)
Wed Sep 4 18:39:21 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 04 Sep 2013 20:40:13 +0200
From: Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
To: cryptography@metzdowd.com
In-Reply-To: <20130904103712.7d0493fa@jabberwock.cb.piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-09-04 16:37, Perry E. Metzger wrote:
> Phil Karn described a construction for turning any hash function into
> the core of a Feistel cipher in 1991. So far as I can tell, such
> ciphers are actually quite secure, though impractically slow.
>
> Pointers to his original sci.crypt posting would be appreciated, I
> wasn't able to find it with a quick search.
I remember having reviewed a construction by Peter Gutmann, called a
Message Digest Cipher, at around that time, which also turned a hash
function into a cipher. I do remember that at that time I thought it
was quite secure, but I was just a little puppy then. Schneier reviews
this construction in Applied Cryptography and can't find fault with it,
but doesn't like it on principle ("using the hash function for something
for which it is not intended").
It works like this. Let h be the "incremental" hash function, i.e., the
compression function that you use to hash data piecewise. In
programming terms, this function is usually called XXXUpdate() if XXX is
the name of the hash function. Then, if P(1), ..., P(n) are your
plaintext blocks and K is your key, compute:
C(1) = P(1) XOR h(IV, K)
C(j) = P(j) XOR h(C(j-1), K), for 1 < j <= n.
Decryption is a very similar operation:
P(1) = C(1) XOR h(IV, K)
P(j) = C(j) XOR h(C(j-1), K), for 1 < j <= n.
It's just running the compression function in CFB mode.
Fun,
Stephan
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
