1996-07-18 - Re: Making encoding out of an authentication cipher

Header Data

From: “David F. Ogren” <ogren@cris.com>
To: EVERHART@Arisia.GCE.Com
Message Hash: 2afa939ca0976ade0b40795a2b2246f3fd4373c3dd277655f6fbb8baf84f3757
Message ID: <199607181647.MAA02366@darius.cris.com>
Reply To: N/A
UTC Datetime: 1996-07-18 21:24:57 UTC
Raw Date: Fri, 19 Jul 1996 05:24:57 +0800

Raw message

From: "David F. Ogren" <ogren@cris.com>
Date: Fri, 19 Jul 1996 05:24:57 +0800
To: EVERHART@Arisia.GCE.Com
Subject: Re: Making encoding out of an authentication cipher
Message-ID: <199607181647.MAA02366@darius.cris.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

To: EVERHART@Arisia.GCE.Com, cypherpunks@toad.com
Date: Thu Jul 18 12:44:15 1996
> Suppose you have a secure hash function H(msg) that delivers a random
> long period set of hash bits for msg, which is computationally infeasible
> to invert and such that the value of H(msg) depends very sensitively on
> all bits of msg. These things are used for authentication and tend to
>  be
> all over the world.
> 
> Now suppose I have a key and apply the following transform, where "+"
> will mean binary exclusive OR.
> 
> Cipher:
> H(key) + M(1)    = C(1)
> H(key+M(1)) + M(2) = C(2)
> H(key+M(2)) + M(3) = C(3)
> 
> and so on where M(n) is the message and C is the enciphered message.
> 
> Decipher:
> 
> H(key)      + C(1)  = M(1)
> H(key+M(1)) + C(2)  = M(2)
> H(key+M(2)) + C(3)  = M(3)
> 
> and so on.
> 
> If the hash function is cryptographically strong, is this or is this
>  not
> a strong cipher? Are there fast hash functions around?
> 

This, along with several other methods (Karn, Luby-Rackoff and MDC are 
some others) have been suggested in order to convert a hash function into 
and encryption algorithm.  And while the method you suggest has not been 
broken (at least to my knowledge) there are at least two major problems:

1. It is slow.  This method would appear to be approximately the speed of 
MDC.  And MDC (using SHA, what appears to be the most secure hash) is (very 
roughly) 5 times slower than Blowfish and 3 times slower than IDEA.  And 
although MDC is faster than 3DES in software, 3DES could easily outpace MDC 
in hardware.

2. (To directly quote Bruce Schneier from Applied Cryptography, page 353) 
"While these constructions can be secure, they depend on the choice of the 
underlying hash function.  A good one-way hash function doesn't necessarily 
make a secure encryption algorithm.  Cryptographic requirements are 
different.  For example, linear cryptoanalysis is not a viable attack 
against one-way hash functions, but works against encryption algorithms."  
(Any typos are mine.)

- --
David F. Ogren                |
ogren@concentric.net          | "A man without religion is like a fish
PGP Key ID: 0x6458EB29        |  without a bicycle"
- ------------------------------|----------------------------------------
Don't know what PGP is?       | Need my public key?  It's available
Send a message to me with the | by server or by sending me a message
subject GETPGPINFO            | with the subject GETPGPKEY
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMe5p4uSLhCBkWOspAQFzLQf+J7VGyboBIb4/x2uT3ACs/xgMP11EnggF
6xnrT/TalqJofF1KcEGa3+DgfRRSAn0lxe2jGnLRCAj85zNwXNBy6V4A9pr/0Ldg
lD0aHpDFBRXZngqHtCANce8OJvC/EwPbotOuFR+V2vwrB7CHD+4XlNxcfcWDZN7i
/ffD6YdUnOpKtvj5ElmPmbOfODC10XD35nRbu1NMurmJQESA14Ohzk9KhRzVkNtv
pYkwcCqkR2kWGnWSkew9Zfw4U+IOdFiwb9etgiOEl86hM38cK1SM1RxArEfW3vIw
k2EM6o/rF4OIiDUYlJ3STxYAn7kAnOQ6PeYeUu48WmX1Y3q05qmFrQ==
=Hj2r
-----END PGP SIGNATURE-----






Thread