Hi Ben, Travis IGE if this description summarized by Travis is correct, appears to be a re-invention of Anton Stiglic and my proposed FREE-MAC mode. However the FREE-MAC mode (below described as IGE) was broken back in Mar 2000 or maybe earlier by Gligor, Donescu and Iorga. I recommend you do not use it. There are simple attacks which allow you to manipulate ciphertext blocks with XOR of a few blocks and get error recovery a few blocks later; and of course with free-mac error recovery means the MAC is broken, because the last block is undisturbed.
There is some more detail here: http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st Adam On Mon, Sep 04, 2006 at 04:28:51PM -0500, Travis H. wrote: > Nevermind the algorithm, I saw the second PDF. > > For the other readers, the algorithm in more > standard variable names is: > > c_i = f_K(p_i xor c_(i-1)) xor p_(i-1) > > IV = <p_(-1), c_(-1)> > > I suppose the dependency on c_(i-1) and p_(i-1) is the part that > prevents the attacker from predicting and controlling the garble. > -- > "If you're not part of the solution, you're part of the precipitate." > Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ > GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]