From: SMTP%"ogren@cris.com" 18-JUL-1996 19:27:40.98 To: EVERHART CC: Subj: Re: Making encoding out of an authentication cipher Errors-To: ogren@cris.com Date: Thu, 18 Jul 1996 12:47:56 -0400 (EDT) Message-Id: <199607181647.MAA02366@darius.cris.com> From: "David F. Ogren" To: EVERHART@Arisia.GCE.Com X-Priority: Normal Subject: Re: Making encoding out of an authentication cipher Cc: cypherpunks@toad.com X-Mailer: Pronto Secure [Ver 1.0 Beta 6.23] MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Pgprequest: signed -----BEGIN PGP SIGNED MESSAGE----- To: EVERHART@Arisia.GCE.Com, cypherpunks@toad.com Date: Thu Jul 18 12:44:15 1996 > Suppose you have a secure hash function H(msg) that delivers a random > long period set of hash bits for msg, which is computationally infeasible > to invert and such that the value of H(msg) depends very sensitively on > all bits of msg. These things are used for authentication and tend to > be > all over the world. > > Now suppose I have a key and apply the following transform, where "+" > will mean binary exclusive OR. > > Cipher: > H(key) + M(1) = C(1) > H(key+M(1)) + M(2) = C(2) > H(key+M(2)) + M(3) = C(3) > > and so on where M(n) is the message and C is the enciphered message. > > Decipher: > > H(key) + C(1) = M(1) > H(key+M(1)) + C(2) = M(2) > H(key+M(2)) + C(3) = M(3) > > and so on. > > If the hash function is cryptographically strong, is this or is this > not > a strong cipher? Are there fast hash functions around? > This, along with several other methods (Karn, Luby-Rackoff and MDC are some others) have been suggested in order to convert a hash function into and encryption algorithm. And while the method you suggest has not been broken (at least to my knowledge) there are at least two major problems: 1. It is slow. This method would appear to be approximately the speed of MDC. And MDC (using SHA, what appears to be the most secure hash) is (very roughly) 5 times slower than Blowfish and 3 times slower than IDEA. And although MDC is faster than 3DES in software, 3DES could easily outpace MDC in hardware. 2. (To directly quote Bruce Schneier from Applied Cryptography, page 353) "While these constructions can be secure, they depend on the choice of the underlying hash function. A good one-way hash function doesn't necessarily make a secure encryption algorithm. Cryptographic requirements are different. For example, linear cryptoanalysis is not a viable attack against one-way hash functions, but works against encryption algorithms." (Any typos are mine.) - -- David F. Ogren | ogren@concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMe5p4uSLhCBkWOspAQFzLQf+J7VGyboBIb4/x2uT3ACs/xgMP11EnggF 6xnrT/TalqJofF1KcEGa3+DgfRRSAn0lxe2jGnLRCAj85zNwXNBy6V4A9pr/0Ldg lD0aHpDFBRXZngqHtCANce8OJvC/EwPbotOuFR+V2vwrB7CHD+4XlNxcfcWDZN7i /ffD6YdUnOpKtvj5ElmPmbOfODC10XD35nRbu1NMurmJQESA14Ohzk9KhRzVkNtv pYkwcCqkR2kWGnWSkew9Zfw4U+IOdFiwb9etgiOEl86hM38cK1SM1RxArEfW3vIw k2EM6o/rF4OIiDUYlJ3STxYAn7kAnOQ6PeYeUu48WmX1Y3q05qmFrQ== =Hj2r -----END PGP SIGNATURE-----