Re: [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aloha! Stephan Neuhaus wrote: > On 2013-09-04 16:37, Perry E. Metzger wrote: >> Phil Karn described a construction for turning any hash function >> into the core of a Feistel cipher in 1991. So far as I can tell, >> such ciphers are actually quite secure, though impractically slow. >> >> Pointers to his original sci.crypt posting would be appreciated, I >> wasn't able to find it with a quick search. > > I remember having reviewed a construction by Peter Gutmann, called a > Message Digest Cipher, at around that time, which also turned a hash > function into a cipher. I do remember that at that time I thought > it was quite secure, but I was just a little puppy then. Schneier > reviews this construction in Applied Cryptography and can't find > fault with it, but doesn't like it on principle ("using the hash > function for something for which it is not intended"). Isn't this whole discussion basically the gist of DJB vs USA? https://en.wikipedia.org/wiki/Snuffle And today we have Salsa20 as a PRNG/stream cipher in eSTREAM. The Salsa family of functions including ChaCha are compression functions in counter mode to generate a keystream. - -- Med vänlig hälsning, Yours Joachim Strömbergson - Alltid i harmonisk svängning. -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlIoUmoACgkQZoPr8HT30QF6BwCgrbIFVv/ETFWjGGUxi27h6bWb 7usAoKNYs9PO1ENGD8jeSje3i6Hm+xml =8rT0 -END PGP SIGNATURE- ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
On 2013-09-04 16:37, Perry E. Metzger wrote: Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow. Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search. I remember having reviewed a construction by Peter Gutmann, called a Message Digest Cipher, at around that time, which also turned a hash function into a cipher. I do remember that at that time I thought it was quite secure, but I was just a little puppy then. Schneier reviews this construction in Applied Cryptography and can't find fault with it, but doesn't like it on principle ("using the hash function for something for which it is not intended"). It works like this. Let h be the "incremental" hash function, i.e., the compression function that you use to hash data piecewise. In programming terms, this function is usually called XXXUpdate() if XXX is the name of the hash function. Then, if P(1), ..., P(n) are your plaintext blocks and K is your key, compute: C(1) = P(1) XOR h(IV, K) C(j) = P(j) XOR h(C(j-1), K), for 1 < j <= n. Decryption is a very similar operation: P(1) = C(1) XOR h(IV, K) P(j) = C(j) XOR h(C(j-1), K), for 1 < j <= n. It's just running the compression function in CFB mode. Fun, Stephan ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
As a pure aside... On Tue, 3 Sep 2013 15:16:14 -0400 Faré wrote: > Can't you trivially transform a hash into a PRNG, a PRNG into a > cypher, and vice versa? Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow. Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography