This preview shows page 1. Sign up to view the full content.
Unformatted text preview: similar construction can use the oneway function in OFB mode: Ci = Pi • Si; Si = H(K,Ci  1) Pi = Ci • Si; Si = H(K,Ci  1) The security of this scheme depends on the security of the oneway function. Karn
This method, invented by Phil Karn and placed in the public domain, makes an invertible encryption algorithm out of certain oneway hash functions. The algorithm operates on plaintext and ciphertext in 32byte blocks. The key can be any length, although certain key lengths will be more efficient for certain oneway hash functions. For the oneway hash functions MD4 and MD5, 96byte keys work best. To encrypt, first split the plaintext into two 16byte halves: P1 and Pr. Then, split the key into two 48byte halves: K1 and Kr. P = P1,Pr K = K1,Kr Append K1 to P1 and hash it with a oneway hash function, then XoR the result of the hash with Pr to produce Cr, the right half of the ciphertext. Then, append Kr to Cr and hash it with the oneway hash function. XoR the result with P1 to produce C1. Finally, append Cr to C1 to produce the ciphertext. Cr = Pr • H(P1,K 1) C1 = P1 • H(Cr,Kr) C = C1,Cr To decrypt, simply reverse the process. Append Kr to Cr, hash and XoR with C1 to produce P1. Append K1 to P1, hash and XoR with Cr to produce Pr. P1 = C1 • H(Cr,Kr) Pr = Cr • H(P1,K1) P = P1,Pr The overall structure of Karn is the same as many of the other block algorithms discussed in this section. It has only two rounds, because the complexity of the algorithm is embedded in the oneway hash function. And since the key is used only as the input to the hash function, it cannot be recovered even using a chosenplaintext attack—assuming, of course, that the oneway hash function is secure. LubyRackoff
Michael Luby and Charles Rackoff showed that Karn is not secure [992]. Consider two singleblock messages: AB and AC. If a cryptanalyst knows both the plaintext and the ciphertext of the first message, and knows the first half of the plaintext of the second message, then he can easily compute the entire second...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details