Travis H. wrote:
> By the term "crib" do you mean a known-plaintext?

Yes.

> I'd like to see a proof that it is not possible to alter the final
> block to make it
> decrypt to all zeroes; that seems worse than CRCs and putting a CRC at the
> end of the plaintext is a common, and often broken, way to do integrity
> checking, because it's linear and allows the opponent to toggle bits in the
> plaintext and fix the CRC without breaking the encryption.
> 
> I don't see how appending a hash of the plaintext could be a crib.  The
> encryption prevents the opponent from knowing the plaintext, so
> he wouldn't know what the hash preimage is.  If you encrypt the hash,
> you basically have HMAC without using a keyed hash.

You decrypt with your guessed key. If the hash matches, then the key was
correct.

> There are block modes that do integrity and encryption at the same time;
> does this offer and advantage over them, and if so how?

Its cheap. However, my main interest is in biIGE, since any change to
the ciphertext changes all of the plaintext, which is useful for some
protocols, in particular, Minx (http://www.apache-ssl.org/minx.pdf).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to