[8294] in cryptography@c2.net mail archive
Re: IBM press release - encryption and authentication
daemon@ATHENA.MIT.EDU (David Wagner)
Sun Dec 17 22:54:20 2000
To: cryptography@c2.net
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 18 Dec 2000 03:37:32 GMT
Message-ID: <91k0ps$m3$1@abraham.cs.berkeley.edu>
Reply-To: daw@cs.berkeley.edu (David Wagner)
William Allen Simpson wrote:
>As far as I can tell, the only unique element is the mod 2^128 - 159
>function. We just need to use another function.
>
>My own favorite (in CBCS) has been rotation by the population count [...]
The uniquely valuable aspect of Jutla's scheme (and other related
schemes, e.g. Gligor's or Rogaway's schemes) is that it comes with
a proof of security.
History shows that it is extremely easy to propose schemes for
encryption-with-integrity that are plausible-looking yet nonetheless
entirely broken. At this point, I don't think I would trust very much
a proposal without a proof.
And I think it would be fair to say that CBCS falls into the camp of
plausible but unproven proposals. (Correct me if I'm wrong!)
