What you say is true about CTR mode. However in CBC mode there's an attack in which the attacker chooses the first block of the plaintext based on the IV, so the proofs of security only work if the IVs are random and unpredictable.
IGE mode has been proposed several times with different names over the years; I proposed it about nine years ago and called it SBC, then discovered that Michael Brown at Dublin University had proposed it about eighteen months earlier and called it X-CBC. ABC seems to be an interesting extension. However, many similar attempts to build one-pass authenticated-encryption modes of operation have been broken, and as a result these days people tend to demand a proof of security. All the modes I'm advocating, as well as other patent-encumbered modes such as OCB, come with such a proof. I think it would be foolhardy to opt for a mode that does not have such a proof. The extra cost of GGM over CBC is pretty small - a single multiply in GF(2^128). And unlike CBC, GGM is parallelizable.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2006-09-04 01:57 pm (UTC)IGE mode has been proposed several times with different names over the years; I proposed it about nine years ago and called it SBC, then discovered that Michael Brown at Dublin University had proposed it about eighteen months earlier and called it X-CBC. ABC seems to be an interesting extension. However, many similar attempts to build one-pass authenticated-encryption modes of operation have been broken, and as a result these days people tend to demand a proof of security. All the modes I'm advocating, as well as other patent-encumbered modes such as OCB, come with such a proof. I think it would be foolhardy to opt for a mode that does not have such a proof. The extra cost of GGM over CBC is pretty small - a single multiply in GF(2^128). And unlike CBC, GGM is parallelizable.