On 2013-09-04 16:37, Perry E. Metzger wrote:

Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow.Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search.

`I remember having reviewed a construction by Peter Gutmann, called a`

`Message Digest Cipher, at around that time, which also turned a hash`

`function into a cipher. I do remember that at that time I thought it`

`was quite secure, but I was just a little puppy then. Schneier reviews`

`this construction in Applied Cryptography and can't find fault with it,`

`but doesn't like it on principle ("using the hash function for something`

`for which it is not intended").`

`It works like this. Let h be the "incremental" hash function, i.e., the`

`compression function that you use to hash data piecewise. In`

`programming terms, this function is usually called XXXUpdate() if XXX is`

`the name of the hash function. Then, if P(1), ..., P(n) are your`

`plaintext blocks and K is your key, compute:`

C(1) = P(1) XOR h(IV, K) C(j) = P(j) XOR h(C(j-1), K), for 1 < j <= n. Decryption is a very similar operation: P(1) = C(1) XOR h(IV, K) P(j) = C(j) XOR h(C(j-1), K), for 1 < j <= n. It's just running the compression function in CFB mode. Fun, Stephan _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography