# [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)

Stephan Neuhaus stephan.neuhaus at tik.ee.ethz.ch
Wed Sep 4 14:40:13 EDT 2013

```On 2013-09-04 16:37, Perry E. Metzger wrote:
> Phil Karn described a construction for turning any hash function into
> the core of a Feistel cipher in 1991. So far as I can tell, such
> ciphers are actually quite secure, though impractically slow.
>
> Pointers to his original sci.crypt posting would be appreciated, I
> wasn't able to find it with a quick search.

I remember having reviewed a construction by Peter Gutmann, called a
Message Digest Cipher, at around that time, which also turned a hash
function into a cipher.  I do remember that at that time I thought it
was quite secure, but I was just a little puppy then.  Schneier reviews
this construction in Applied Cryptography and can't find fault with it,
but doesn't like it on principle ("using the hash function for something
for which it is not intended").

It works like this. Let h be the "incremental" hash function, i.e., the
compression function that you use to hash data piecewise.  In
programming terms, this function is usually called XXXUpdate() if XXX is
the name of the hash function. Then, if P(1), ..., P(n) are your
plaintext blocks and K is your key, compute:

C(1) = P(1) XOR h(IV, K)
C(j) = P(j) XOR h(C(j-1), K),   for 1 < j <= n.

Decryption is a very similar operation:

P(1) = C(1) XOR h(IV, K)
P(j) = C(j) XOR h(C(j-1), K),   for 1 < j <= n.

It's just running the compression function in CFB mode.

Fun,

Stephan
```