home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: sci.crypt
- Path: sparky!uunet!walter!qualcom.qualcomm.com!servo.qualcomm.com!karn
- From: karn@servo.qualcomm.com (Phil Karn)
- Subject: Re: MDC cipher code (long)
- Message-ID: <1992Nov1.223836.22794@qualcomm.com>
- Sender: news@qualcomm.com
- Nntp-Posting-Host: servo.qualcomm.com
- Organization: Qualcomm, Inc
- References: <1992Oct22.063349.28189@cs.aukuni.ac.nz> <5830005@hplsla.hp.com>
- Date: Sun, 1 Nov 1992 22:38:36 GMT
- Lines: 25
-
- In article <5830005@hplsla.hp.com> ericb@hplsla.hp.com (Eric Backus) writes:
- >I was under the impression that a secure cipher could be obtained from
- >a message digest algorithm, by using several passes of a message
- >digest algorithm and using the user's key as part of the input to the
- >digest algorithm. I don't think the message digest algorithm needs to
- >be altered in any way for this. I think Phil Karn proposed something
- >like this awhile back. (Phil, did you make this work?)
-
- I proposed it, but I never actually followed through with the
- definitive implementation. But you're right, all you need is three
- Feistel rounds with the nonlinear transformation 'f' in each being a
- strong hash function like MD-5. It is important that each round be
- separately keyed, although the three subkeys can be derived from a
- single input key (e.g., by appending the input key to a
- round-dependent constant and hashing).
-
- MD-5 does have a lot of baggage from its role as a hash function that
- can be removed when it is to be used as the nonlinear primitive in a
- cipher. E.g., there's no need to pad out each input block with the
- input length. All you need is the internal "transform" function, the
- routine that crunches 64 bytes to 16 bytes on each iteration. You
- design your cipher to work with these block sizes, which admittedly
- are inconveniently large for some applications.
-
- Phil
-
