On 9/9/06, Adam Back <[EMAIL PROTECTED]> wrote:
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
> you do not use it.  There are simple attacks which allow you to
> manipulate ciphertext blocks with XOR of a few blocks and get error
> recovery a few blocks later; and of course with free-mac error
> recovery means the MAC is broken, because the last block is
> undisturbed.
> > http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st

Travis H. wrote:
I don't see why integrity+confidentiality has to cost n log n
operations.  I haven't read the whole paper yet (and the proof is at
the end)

The idea is to costlessly piggy back integrity on top of confidentiality is to have error propagation, so that any fiddling with the message will cause all packets after the fiddling to be random noise.

Unfortunately, if this is done with linear operations, it can be undone with linear operations. If it is done with non linear operations (my recommendation), it is hard to prove anything.

> Or are universal hashes
considered cryptographic-weight primitives, and thus this constitutes
a "second pass" over the plaintext?


The idea is to get integrity for free, but unfortunately so many integrity-for-free schemes have come undone, making people suspicious.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to