What's the state of the art in one-pass integrity/encryption?
Steven M. Bellovin
smb at research.att.com
Sun Nov 25 11:57:48 EST 2001
In message <4.3.1.2.20011125111612.024279c0 at 127.0.0.1>, Greg Rose writes:
>All of the early schemes were broken, as was the NSA's submission to the
>AES Modes of Operation workshop. However, three schemes, all similar in
>principal, have not only survived, but have proofs of correctness. The
>first was Charanjit Jutla's IAPM mode, another is Rogaway's OCB, and the
>third is from Gligor and Pompescu but I can't remember its name (I'm
>passing through SFO as I write this, so forgive me for not having
>references to hand).
>
>Phil Hawkes and I have extended IAPM (and I believe the method is
>applicable to the other modes too) so that you can authenticate parts of
>the message that are not encrypted, like IP headers for example. We sent
>public comments to NIST about this, or I cam post more detail if you need.
>
Rogaway's OCB is patent-pending -- see
http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#patent:phil
Gligor and Donescu's NIST submission said that they had filed patent
applications, too: http://csrc.nist.gov/encryption/modes/workshop1/presentations/slides-gligor.pdf
And http://csrc.nist.gov/encryption/modes/workshop1/workshop-report.pdf
indicates that IBM has filed for patent applications on IAPM.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list