mdc.shar.hdr

mdc加密算法

Path: ghost.dsi.unimi.it!rpi!uwm.edu!cs.utexas.edu!uunet!comp.vuw.ac.nz!waikato.ac.nz!aukuni.ac.nz!cs18.cs.aukuni.ac.nz!pgut1
Newsgroups: sci.crypt
Subject: MDC cipher code (long)
Message-ID: <1992Oct22.063349.28189@cs.aukuni.ac.nz>
From: pgut1@cs.aukuni.ac.nz (Peter Gutmann)
Date: Thu, 22 Oct 1992 06:33:49 GMT
Organization: Computer Science Dept. University of Auckland
Organisation: HPACK Conspiracy Secret Laboratory
Lines: 1432

I posted the following code a few months ago, since then I've revised it
somewhat, cleaned it up a bit, and removed some endianness-related problems
the original code had.  It's been tested (as part of a larger encryption
program) under Aix, Irix, the Macintosh, MSDOS, OS/2, SunOS, and Ultrix, and
compiled (but not tested much) on an Amiga, Archimedes, and Atari ST.

The code is a means of turning one-way hash functions into a secret-key
cipher run in CFB mode.  The cipher runs virtually as fast as the hash
function, and is as secure as the hash function (in fact it should be more
secure - hash functions can be "broken" by finding a collision, whereas the
cipher requires the reversing of the function).

The code below uses the MD5 message digest algorithm, with the Mysterious
Constants replaced with key-dependant values (you could also use SHS/SHA if
you wanted, but regular readers of sci.crypt will probably know my opinion of
SHA vs MD5 :-).  Normally the constants are defined as:

>      In step i, the additive constant is the integer part of
>      4294967296 times abs(sin(i)), where i is in radians.

The cipher, called MDC (Message Digest Cipher), simply uses constants derived
from a user-supplied key instead.  The key setup is basically the same as
that used in my NSEA cipher code, with the Mysterious Constants being
generated by running MD5 over a buffer containing the user key, with the MD5
initial value being set to the IV.  These are then substituted for the
standard MD5 constants to create the MDC function.

I believe that using a one-way hash function in this manner makes more sense
than using a true cipher since, when used in CFB mode, the cipher is simply
acting as a hash function anyway.

I've asked Ron Rivest, the inventor of MD5, for his comments on MDC, and he
was of the opinion that changing the mysterious constants to other (random)
values would not weaken MD5, and that if both the input and output values (or
many such) are known (ie as part of a chosen plaintext attack), there isn't
any way of recovering the constants.  On the other hand he says he hasn't
thought about this option too much (MDC is a pretty strange way to use a
message digest algorithm :-).

None of the following code is patented or restricted in any way.  The MD5
code has been placed in the public domain by it's authors, and any additional
code I've added as well as the MDC support routines are also in the public
domain.  In addition, the MD5 code is *not* covered by US export restrictions
since it can't be used as general purpose-encryption code (well, until now
anyway :-).

To compile the code, you need to tell it what endianness the machine you're
running on is.  Do this with -DBIG_ENDIAN (the default), or -DLITTLE_ENDIAN.
The code can be made endianness-independant, but this results in a
significant speed penalty.  Also, the MD5Transform() routine in the MD5 code
breaks some compilers, specifically the Irix cc, TopSpeed C under MSDOS/OS2,
Norcroft C on the Archimedes, and Ultrix vcc.  To avoid this, define IRIX,
__ARC__, __TSC__. or VCC as appropriate to compile a version which has been
broken up into 4 seperate passes.  If your compiler grinds to a halt
compiling the MD5 code, you'll have to add it to the list, as well as
emailing me so I can update my copy of the code.

In addition to the default simple encryption program, the following compile
options are possible:

    TIME_TRIAL  - Encrypt 10MB of data for timing purposes
    SETUP_TRIAL - Perform 100 key setup operations for timing purposes
    TEST_VERSION- Output test encryption values.

When compiled with -DTEST_VERSION, the output of the program is:

Key 00000000000000000000000000000000, data 00000000000000000000000000000000:
    88D742CF859F94B635EF18A77FD7D4A0
Key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, data FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:
    1E9285C7A8101E22ACFC714E20762139
Key 00000000000000000000000000000001, data 00000000000000000000000000000000:
    F5F8A1E03129495961C67445F2CE4CCF
Key 00000000000000000000000000000000, data 00000000000000000000000000000001:
    60B4DC803BC5BEF1DEBED86E66B8437A
Key 80000000000000000000000000000000, data 00000000000000000000000000000000:
    875C20E8494995F3E3005E086DA3EFAA
Key 00000000000000000000000000000000, data 80000000000000000000000000000000:
    A41DD80386C1808EE7711C08BF5CEA7F
Key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, data 00000000000000000000000000000000:
    782B37AB38DAEFF43BD6BC7D2965B4F9
Key 00000000000000000000000000000000, data FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:
    9F564E42DACB42DBF21C57C092285896
Key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, data 00000000000000000000000000000001:
    5AE30BE155C55FBDA5CC4D4F17B42FCE
Key 00000000000000000000000000000001, data FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:
    3D8A26A7EEFEF1D0030A0127D4700149
Key 01010101010101010101010101010101, data 01010101010101010101010101010101:
    1F9C8A65F2DF350CB1ADEE5BB10286E7
Key 80808080808080808080808080808080, data 80808080808080808080808080808080:
    D34C2406770463D01EB95895F74E0A75
Key 0123456789ABCDEFFEDCBA9876543210, data 0123456789ABCDEFFEDCBA9876543210:
    434EDED2A66F7171756D467B57614623
Key FEDCBA98765432100123456789ABCDEF, data FEDCBA98765432100123456789ABCDEF:
    7697FF47E42AA04CEEB1C768D9DE2786

If you get values like:

Key 00000000000000000000000000000000, data 00000000000000000000000000000000:
    FA425D688965BFF194F68135D75A32B7
Key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, data FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:
    30F23F7D205842B46CF6D66CC2CB8AB0
[etc]

then the CPU endianness define has been set wrong.

These test values can be used to check things are running properly.  In
addition the MDC/MD5 output can be compared against the unmodified MD5 code
output for accuracy.

Comments, flames, etc to pgut1@cs.aukuni.ac.nz.

Oh yes, I use tabs of 4 (':set tabstop=4' in vi), pipe it through 'expand' if
this is a problem.
		[ Done: I really cannot stand 4 chars tabs! -vince@ghost ]