Читать книгу Security Engineering - Ross Anderson - Страница 178

In section 5.4.3.1 I showed how the Luby-Rackoff theorem enables us to construct a block cipher from a hash function. It's also possible to construct a hash function from a block cipher⁵. The trick is to feed the message blocks one at a time to the key input of our block cipher, and use it to update a hash value (which starts off at say = 0). In order to make this operation non-invertible, we add feedforward: the st hash value is exclusive or'ed with the output of round . This Davies-Meyer construction gives our final mode of operation of a block cipher (Figure 5.16).

The birthday theorem makes another appearance here, in that if a hash function is built using an bit block cipher, it is possible to find two messages with with about effort (hash slightly more than that many messages and look for a match). So a 64 bit block cipher is not adequate, as forging a message would cost of the order of messages, which is just too easy. A 128-bit cipher such as AES used to be just about adequate, and in fact the AACS content protection mechanism in Blu-ray DVDs used ‘AES-H’, the hash function derived from AES in this way.