ghio@temp0126.myriad.ml.org (Matt Ghio) writes:

What about this:

If (a+b)^(a0+b0) == 0, then the plaintext is the same as the ciphertext. This happens for one out of every 256 bytes. Ordinarilly this isn't a problem, but if the key is reused, and there is no IV, it can leak a byte of plaintext.

So it seems that you would need to change the key for each message, or at least use a random initialization vector.

How are you planning to detect which bytes are passed in this way ? Chosen plaintext attacks would do it, and show where (a+b)^(a0+b0) == 0. Looks like you've just doubled our progress. If the key is reused with a different message I don't think there's a weakness. An IV is a good idea, but aren't we _attacking_ this thing ? I've grabbed a few search-engine hits and not read them yet. I'll be looking for clues there. -- ############################################################## # Antonomasia ant@notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################