Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Previous Table of Contents Next


However, I donot trust this construction. It is possible to attack the hash function in a way that hash functions are not designed to withstand. It is not important for hash functions to be able to resist a chosen-plaintext attack, where a cryptanalyst chooses several of those starting 160-bit values, has them “encrypted” by the same 512-bit “key,” and uses this to learn some information about the 512-bit key used. Since the designers didnot have to worry about this, it seems like a bad idea to count on your cipher being able to resist this attack.

Security of Ciphers Based on one-Way Hash Functions

While these constructions can be secure, they depend on the choice of the underlying one-way hash function. A good one-way hash function doesnot necessarily make a secure encryption algorithm. Cryptographic requirements are different. For example, linear cryptanalysis is not a viable attack against one-way hash functions, but works against encryption algorithms. A one-way hash function such as SHA could have linear characteristics which, while not affecting its security as a one-way hash function, could make it insecure in an encryption algorithm such as MDC. I know of no cryptanalytic analysis of particular one-way hash functions as block ciphers; wait for such analysis before you trust any of them.


Figure 14.5  Message Digest Cipher (MDC).

14.12 Choosing a Block Algorithm

It’s a tough decision. DES is almost certainly insecure against the major governments of the world unless you only encrypt very small chunks of data for a single key. IT’S probably all right against anyone else, but that is changing soon. Brute-force DES key search machines will quickly become economical for all sorts of organizations.

Biham’s key-dependent S-boxes for DES should be secure for at least a few years against all but the most well-funded adversaries, and possibly even from them. If you need security that lasts decades or fear the cryptanalytic efforts of major governments, use triple-DES with three independent keys.

The other algorithms arenot worthless. I like Blowfish because it is fast and I wrote it. 3-WAY looks good, and GoST is probably okay. The problem with any recommendation is that the NSA almost certainly has an array of impressive cryptanalytic techniques that are still classified, and I donot know which algorithms they can break with them. Table 14.3 gives timing measurements for some algorithms. These are meant for comparison purposes only.

My favorite algorithm is IDEA. Its 128-bit key, combined with its resistance to any public means of cryptanalysis, gives me a warm, fuzzy feeling about the algorithm. The algorithm has been analyzed by a lot of different groups, and no serious results have been announced yet. Barring extraordinary cryptanalytic news tomorrow, I am betting on IDEA today.

Table 14.3
Encryption Speeds of Some Block Ciphers on a 33 MHz 486SX

Algorithm Encryption Speed
(Kilobytes/second)
Algorithm Encryption Speed
(Kilobytes/second)

Blowfish (12 rounds) 182 MDC (using MD4) 186
Blowfish (16 rounds) 135 MDC (using MD5) 135
Blowfish (20 rounds) 110 MDC (using SHA) 23
DES 35 NewDES 233
FEAL-8 300 REDOC II 1
FEAL-16 161 REDOC III 78
FEAL-32 91 RC5-32/8 127
GOST 53 RC5-32/12 86
IDEA 70 RC5-32/16 65
Khufu (16 rounds) 221 RC5-32/20 52
Khufu (24 rounds) 153 SAFER (6 rounds) 81
Khufu (32 rounds) 115 SAFER (8 rounds) 61
Luby-Rackoff (using MD4) 47 SAFER (10 rounds) 49
Luby-Rackoff (using MD5) 34 SAFER (12 rounds) 41
Luby-Rackoff (using SHA) 11 3-Way 25
Lucifer 52 Triple-DES 12


Previous Table of Contents Next
[an error occurred while processing this directive]