On 9/9/06, Adam Back <[EMAIL PROTECTED]> wrote:
IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
you do not use it.  There are simple attacks which allow you to
manipulate ciphertext blocks with XOR of a few blocks and get error
recovery a few blocks later; and of course with free-mac error
recovery means the MAC is broken, because the last block is


I don't see why integrity+confidentiality has to cost n log n
operations.  I haven't read the whole paper yet (and the proof is at
the end), but I don't see why you can't append a universal hash
(chosen by a second key, or at random and identified in the plaintext
in some suitable way) of the input to the plaintext prior to
encryption, and get integrity for cheap.  Or are universal hashes
considered cryptographic-weight primitives, and thus this constitutes
a "second pass" over the plaintext?  I must admit I don't know of any
lower bound on universal hash complexity... wikipedia only mentions
f(x) = ax + b mod p, (p prime) which is clearly less heavy than modexp
and other PK algos, and it looks like you could do it incrementally
over the plaintext x, I think... my intuition tells me this is way
faster than a block cipher.
"On the Internet noone knows you're a dog - except Bruce Schneier."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to