The NIST server is down. Care to post the algorithm?
By the term "crib" do you mean a known-plaintext? I'd like to see a proof that it is not possible to alter the final block to make it decrypt to all zeroes; that seems worse than CRCs and putting a CRC at the end of the plaintext is a common, and often broken, way to do integrity checking, because it's linear and allows the opponent to toggle bits in the plaintext and fix the CRC without breaking the encryption. I don't see how appending a hash of the plaintext could be a crib. The encryption prevents the opponent from knowing the plaintext, so he wouldn't know what the hash preimage is. If you encrypt the hash, you basically have HMAC without using a keyed hash. There are block modes that do integrity and encryption at the same time; does this offer and advantage over them, and if so how? -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]