From: “David F. Ogren” <ogren@cris.com>
To: EVERHART@Arisia.GCE.Com
Message Hash: 2afa939ca0976ade0b40795a2b2246f3fd4373c3dd277655f6fbb8baf84f3757
Message ID: <199607181647.MAA02366@darius.cris.com>
Reply To: N/A
UTC Datetime: 1996-07-18 21:24:57 UTC
Raw Date: Fri, 19 Jul 1996 05:24:57 +0800
From: "David F. Ogren" <ogren@cris.com>
Date: Fri, 19 Jul 1996 05:24:57 +0800
To: EVERHART@Arisia.GCE.Com
Subject: Re: Making encoding out of an authentication cipher
Message-ID: <199607181647.MAA02366@darius.cris.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
To: EVERHART@Arisia.GCE.Com, cypherpunks@toad.com
Date: Thu Jul 18 12:44:15 1996
> Suppose you have a secure hash function H(msg) that delivers a random
> long period set of hash bits for msg, which is computationally infeasible
> to invert and such that the value of H(msg) depends very sensitively on
> all bits of msg. These things are used for authentication and tend to
> be
> all over the world.
>
> Now suppose I have a key and apply the following transform, where "+"
> will mean binary exclusive OR.
>
> Cipher:
> H(key) + M(1) = C(1)
> H(key+M(1)) + M(2) = C(2)
> H(key+M(2)) + M(3) = C(3)
>
> and so on where M(n) is the message and C is the enciphered message.
>
> Decipher:
>
> H(key) + C(1) = M(1)
> H(key+M(1)) + C(2) = M(2)
> H(key+M(2)) + C(3) = M(3)
>
> and so on.
>
> If the hash function is cryptographically strong, is this or is this
> not
> a strong cipher? Are there fast hash functions around?
>
This, along with several other methods (Karn, Luby-Rackoff and MDC are
some others) have been suggested in order to convert a hash function into
and encryption algorithm. And while the method you suggest has not been
broken (at least to my knowledge) there are at least two major problems:
1. It is slow. This method would appear to be approximately the speed of
MDC. And MDC (using SHA, what appears to be the most secure hash) is (very
roughly) 5 times slower than Blowfish and 3 times slower than IDEA. And
although MDC is faster than 3DES in software, 3DES could easily outpace MDC
in hardware.
2. (To directly quote Bruce Schneier from Applied Cryptography, page 353)
"While these constructions can be secure, they depend on the choice of the
underlying hash function. A good one-way hash function doesn't necessarily
make a secure encryption algorithm. Cryptographic requirements are
different. For example, linear cryptoanalysis is not a viable attack
against one-way hash functions, but works against encryption algorithms."
(Any typos are mine.)
- --
David F. Ogren |
ogren@concentric.net | "A man without religion is like a fish
PGP Key ID: 0x6458EB29 | without a bicycle"
- ------------------------------|----------------------------------------
Don't know what PGP is? | Need my public key? It's available
Send a message to me with the | by server or by sending me a message
subject GETPGPINFO | with the subject GETPGPKEY
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBMe5p4uSLhCBkWOspAQFzLQf+J7VGyboBIb4/x2uT3ACs/xgMP11EnggF
6xnrT/TalqJofF1KcEGa3+DgfRRSAn0lxe2jGnLRCAj85zNwXNBy6V4A9pr/0Ldg
lD0aHpDFBRXZngqHtCANce8OJvC/EwPbotOuFR+V2vwrB7CHD+4XlNxcfcWDZN7i
/ffD6YdUnOpKtvj5ElmPmbOfODC10XD35nRbu1NMurmJQESA14Ohzk9KhRzVkNtv
pYkwcCqkR2kWGnWSkew9Zfw4U+IOdFiwb9etgiOEl86hM38cK1SM1RxArEfW3vIw
k2EM6o/rF4OIiDUYlJ3STxYAn7kAnOQ6PeYeUu48WmX1Y3q05qmFrQ==
=Hj2r
-----END PGP SIGNATURE-----
Return to July 1996
Return to ““David F. Ogren” <ogren@cris.com>”
1996-07-18 (Fri, 19 Jul 1996 05:24:57 +0800) - Re: Making encoding out of an authentication cipher - “David F. Ogren” <ogren@cris.com>