This preview shows page 1. Sign up to view the full content.
Unformatted text preview: similar construction can use the one-way function in OFB mode: Ci = Pi • Si; Si = H(K,Ci - 1) Pi = Ci • Si; Si = H(K,Ci - 1) The security of this scheme depends on the security of the one-way function. Karn
This method, invented by Phil Karn and placed in the public domain, makes an invertible encryption algorithm out of certain one-way hash functions. The algorithm operates on plaintext and ciphertext in 32-byte blocks. The key can be any length, although certain key lengths will be more efficient for certain one-way hash functions. For the one-way hash functions MD4 and MD5, 96-byte keys work best. To encrypt, first split the plaintext into two 16-byte halves: P1 and Pr. Then, split the key into two 48-byte halves: K1 and Kr. P = P1,Pr K = K1,Kr Append K1 to P1 and hash it with a one-way hash function, then XoR the result of the hash with Pr to produce Cr, the right half of the ciphertext. Then, append Kr to Cr and hash it with the one-way hash function. XoR the result with P1 to produce C1. Finally, append Cr to C1 to produce the ciphertext. Cr = Pr • H(P1,K 1) C1 = P1 • H(Cr,Kr) C = C1,Cr To decrypt, simply reverse the process. Append Kr to Cr, hash and XoR with C1 to produce P1. Append K1 to P1, hash and XoR with Cr to produce Pr. P1 = C1 • H(Cr,Kr) Pr = Cr • H(P1,K1) P = P1,Pr The overall structure of Karn is the same as many of the other block algorithms discussed in this section. It has only two rounds, because the complexity of the algorithm is embedded in the one-way hash function. And since the key is used only as the input to the hash function, it cannot be recovered even using a chosen-plaintext attack—assuming, of course, that the one-way hash function is secure. Luby-Rackoff
Michael Luby and Charles Rackoff showed that Karn is not secure . Consider two single-block messages: AB and AC. If a cryptanalyst knows both the plaintext and the ciphertext of the first message, and knows the first half of the plaintext of the second message, then he can easily compute the entire second...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10