Making encoding out of an authentication cipher

David F. Ogren ogren at cris.com
Thu Jul 18 14:24:57 PDT 1996


-----BEGIN PGP SIGNED MESSAGE-----

To: EVERHART at Arisia.GCE.Com, cypherpunks at toad.com
Date: Thu Jul 18 12:44:15 1996
> Suppose you have a secure hash function H(msg) that delivers a random
> long period set of hash bits for msg, which is computationally infeasible
> to invert and such that the value of H(msg) depends very sensitively on
> all bits of msg. These things are used for authentication and tend to
>  be
> all over the world.
> 
> Now suppose I have a key and apply the following transform, where "+"
> will mean binary exclusive OR.
> 
> Cipher:
> H(key) + M(1)    = C(1)
> H(key+M(1)) + M(2) = C(2)
> H(key+M(2)) + M(3) = C(3)
> 
> and so on where M(n) is the message and C is the enciphered message.
> 
> Decipher:
> 
> H(key)      + C(1)  = M(1)
> H(key+M(1)) + C(2)  = M(2)
> H(key+M(2)) + C(3)  = M(3)
> 
> and so on.
> 
> If the hash function is cryptographically strong, is this or is this
>  not
> a strong cipher? Are there fast hash functions around?
> 

This, along with several other methods (Karn, Luby-Rackoff and MDC are 
some others) have been suggested in order to convert a hash function into 
and encryption algorithm.  And while the method you suggest has not been 
broken (at least to my knowledge) there are at least two major problems:

1. It is slow.  This method would appear to be approximately the speed of 
MDC.  And MDC (using SHA, what appears to be the most secure hash) is (very 
roughly) 5 times slower than Blowfish and 3 times slower than IDEA.  And 
although MDC is faster than 3DES in software, 3DES could easily outpace MDC 
in hardware.

2. (To directly quote Bruce Schneier from Applied Cryptography, page 353) 
"While these constructions can be secure, they depend on the choice of the 
underlying hash function.  A good one-way hash function doesn't necessarily 
make a secure encryption algorithm.  Cryptographic requirements are 
different.  For example, linear cryptoanalysis is not a viable attack 
against one-way hash functions, but works against encryption algorithms."  
(Any typos are mine.)

- --
David F. Ogren                |
ogren at concentric.net          | "A man without religion is like a fish
PGP Key ID: 0x6458EB29        |  without a bicycle"
- ------------------------------|----------------------------------------
Don't know what PGP is?       | Need my public key?  It's available
Send a message to me with the | by server or by sending me a message
subject GETPGPINFO            | with the subject GETPGPKEY
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMe5p4uSLhCBkWOspAQFzLQf+J7VGyboBIb4/x2uT3ACs/xgMP11EnggF
6xnrT/TalqJofF1KcEGa3+DgfRRSAn0lxe2jGnLRCAj85zNwXNBy6V4A9pr/0Ldg
lD0aHpDFBRXZngqHtCANce8OJvC/EwPbotOuFR+V2vwrB7CHD+4XlNxcfcWDZN7i
/ffD6YdUnOpKtvj5ElmPmbOfODC10XD35nRbu1NMurmJQESA14Ohzk9KhRzVkNtv
pYkwcCqkR2kWGnWSkew9Zfw4U+IOdFiwb9etgiOEl86hM38cK1SM1RxArEfW3vIw
k2EM6o/rF4OIiDUYlJ3STxYAn7kAnOQ6PeYeUu48WmX1Y3q05qmFrQ==
=Hj2r
-----END PGP SIGNATURE-----







More information about the cypherpunks-legacy mailing list