Re: [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Aloha!
Stephan Neuhaus wrote:
> On 2013-09-04 16:37, Perry E. Metzger wrote:
>> Phil Karn described a construction for turning any hash function
>> into the core of a Feistel cipher in 1991. So far as I can tell,
>> such ciphers are actually quite secure, though impractically slow.
>>
>> Pointers to his original sci.crypt posting would be appreciated, I
>> wasn't able to find it with a quick search.
>
> I remember having reviewed a construction by Peter Gutmann, called a
> Message Digest Cipher, at around that time, which also turned a hash
> function into a cipher. I do remember that at that time I thought
> it was quite secure, but I was just a little puppy then. Schneier
> reviews this construction in Applied Cryptography and can't find
> fault with it, but doesn't like it on principle ("using the hash
> function for something for which it is not intended").
Isn't this whole discussion basically the gist of DJB vs USA?
https://en.wikipedia.org/wiki/Snuffle
And today we have Salsa20 as a PRNG/stream cipher in eSTREAM.
The Salsa family of functions including ChaCha are compression functions
in counter mode to generate a keystream.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlIoUmoACgkQZoPr8HT30QF6BwCgrbIFVv/ETFWjGGUxi27h6bWb
7usAoKNYs9PO1ENGD8jeSje3i6Hm+xml
=8rT0
-END PGP SIGNATURE-
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
On 2013-09-04 16:37, Perry E. Metzger wrote:
Phil Karn described a construction for turning any hash function into
the core of a Feistel cipher in 1991. So far as I can tell, such
ciphers are actually quite secure, though impractically slow.
Pointers to his original sci.crypt posting would be appreciated, I
wasn't able to find it with a quick search.
I remember having reviewed a construction by Peter Gutmann, called a
Message Digest Cipher, at around that time, which also turned a hash
function into a cipher. I do remember that at that time I thought it
was quite secure, but I was just a little puppy then. Schneier reviews
this construction in Applied Cryptography and can't find fault with it,
but doesn't like it on principle ("using the hash function for something
for which it is not intended").
It works like this. Let h be the "incremental" hash function, i.e., the
compression function that you use to hash data piecewise. In
programming terms, this function is usually called XXXUpdate() if XXX is
the name of the hash function. Then, if P(1), ..., P(n) are your
plaintext blocks and K is your key, compute:
C(1) = P(1) XOR h(IV, K)
C(j) = P(j) XOR h(C(j-1), K), for 1 < j <= n.
Decryption is a very similar operation:
P(1) = C(1) XOR h(IV, K)
P(j) = C(j) XOR h(C(j-1), K), for 1 < j <= n.
It's just running the compression function in CFB mode.
Fun,
Stephan
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Hashes into Ciphers (was Re: FIPS, NIST and ITAR questions)
As a pure aside... On Tue, 3 Sep 2013 15:16:14 -0400 Faré wrote: > Can't you trivially transform a hash into a PRNG, a PRNG into a > cypher, and vice versa? Phil Karn described a construction for turning any hash function into the core of a Feistel cipher in 1991. So far as I can tell, such ciphers are actually quite secure, though impractically slow. Pointers to his original sci.crypt posting would be appreciated, I wasn't able to find it with a quick search. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
