[Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)

Stephan Neuhaus stephan.neuhaus at tik.ee.ethz.ch
Wed Sep 4 14:40:13 EDT 2013


On 2013-09-04 16:37, Perry E. Metzger wrote:
> Phil Karn described a construction for turning any hash function into
> the core of a Feistel cipher in 1991. So far as I can tell, such
> ciphers are actually quite secure, though impractically slow.
>
> Pointers to his original sci.crypt posting would be appreciated, I
> wasn't able to find it with a quick search.

I remember having reviewed a construction by Peter Gutmann, called a 
Message Digest Cipher, at around that time, which also turned a hash 
function into a cipher.  I do remember that at that time I thought it 
was quite secure, but I was just a little puppy then.  Schneier reviews 
this construction in Applied Cryptography and can't find fault with it, 
but doesn't like it on principle ("using the hash function for something 
for which it is not intended").

It works like this. Let h be the "incremental" hash function, i.e., the 
compression function that you use to hash data piecewise.  In 
programming terms, this function is usually called XXXUpdate() if XXX is 
the name of the hash function. Then, if P(1), ..., P(n) are your 
plaintext blocks and K is your key, compute:

   C(1) = P(1) XOR h(IV, K)
   C(j) = P(j) XOR h(C(j-1), K),   for 1 < j <= n.

Decryption is a very similar operation:

   P(1) = C(1) XOR h(IV, K)
   P(j) = C(j) XOR h(C(j-1), K),   for 1 < j <= n.

It's just running the compression function in CFB mode.

Fun,

Stephan


More information about the cryptography mailing list