**I will not**be buying an Apple iPhone. No one in my extended family will be buying an Apple iPhone. I am, however, carefully watching lkcl's progress in putting Free Software on slightly less proprietary gadgets.

**It turns out** (as I had expected) the idea of
combining encipherment and secure hashing in one operation
is familiar
in the crypto industry. However, the approaches I see
published look painfully crude. EAX and CCM, in particular,
are no faster than enciphering normally and then hashing
with SHA, so what's the point? Kerberos 4 used "propagating
CBC" which has the weakness that if you swap two
(at-the-time 8-byte)
ciphertext blocks, the plaintext is garbled but the checksum
is good. That should be fixable with (more-or-less-) simple
whitening. E.g, here's 16 bytes of endian-agnostic whitening:

#define MASK64 0x00ff00ff00ff00ffULL #define WASH64 0x005a005a005a005aULL sum_lo = ((((sum_lo & MASK64) + WASH64) & MASK64) | (((sum_lo & ~MASK64) + (WASH64<<8)) & ~MASK64)); sum_hi = ((((sum_hi & MASK64) + WASH64) & MASK64) | (((sum_hi & ~MASK64) + (WASH64<<8)) & ~MASK64));I kind of prefer the CFB w/checksum approach:

C(i) = sum(i-1) XOR P(i) sum(i) = W(sum(i-1)) XOR AES(C(i)) sum(0) = AES(IV)where W is whitening as above.

apenwarr: Automatic variable-type (and argument-type) deduction from initialization value is (1) well-known from Haskell and ML, (2) one of the important new features of C++09, and (3) coming this year or early next to a GNU G++ near you. C# could have had the feature any time, but MS didn't think of adding it until they saw C++ would have it. Of course it's particularly useful only when you have real templates.