On 2013-09-04 16:37, Perry E. Metzger wrote:
Phil Karn described a construction for turning any hash function into
the core of a Feistel cipher in 1991. So far as I can tell, such
ciphers are actually quite secure, though impractically slow.

Pointers to his original sci.crypt posting would be appreciated, I
wasn't able to find it with a quick search.

I remember having reviewed a construction by Peter Gutmann, called a Message Digest Cipher, at around that time, which also turned a hash function into a cipher. I do remember that at that time I thought it was quite secure, but I was just a little puppy then. Schneier reviews this construction in Applied Cryptography and can't find fault with it, but doesn't like it on principle ("using the hash function for something for which it is not intended").

It works like this. Let h be the "incremental" hash function, i.e., the compression function that you use to hash data piecewise. In programming terms, this function is usually called XXXUpdate() if XXX is the name of the hash function. Then, if P(1), ..., P(n) are your plaintext blocks and K is your key, compute:

  C(1) = P(1) XOR h(IV, K)
  C(j) = P(j) XOR h(C(j-1), K),   for 1 < j <= n.

Decryption is a very similar operation:

  P(1) = C(1) XOR h(IV, K)
  P(j) = C(j) XOR h(C(j-1), K),   for 1 < j <= n.

It's just running the compression function in CFB mode.


The cryptography mailing list

Reply via email to