IGE mode is broken (Re: IGE mode in OpenSSL)

Ben Laurie ben at algroup.co.uk
Sat Sep 9 16:39:04 EDT 2006 

Adam Back wrote:
> Hi Ben, Travis
> 
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
> you do not use it.  There are simple attacks which allow you to
> manipulate ciphertext blocks with XOR of a few blocks and get error
> recovery a few blocks later; and of course with free-mac error
> recovery means the MAC is broken, because the last block is
> undisturbed.
> 
> There is some more detail here:
> 
> http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st

Interesting. In fact, Gligor et al appear to have proposed IGE rather
later than this date (November 2000).

In any case, I am not actually interested IGE itself, rather in biIGE
(i.e. IGE applied twice, once in each direction), and I don't care about
authentication, I care about error propagation - specifically, I want
errors to propagate throughout the plaintext.

In fact, I suppose I do care about authentication, but in the negative
sense - I want it to not be possible to authenticate the message.

These properties are needed for the Minx protocol.

So, I mentioned the authentication properties in passing. It is,
however, good to know they don't work! And I love the more general
result in the paper mentioned (http://eprint.iacr.org/2000/039/).

I may have misunderstood the IGE paper, but I believe it includes proofs
for error propagation in biIGE. Obviously if you can prove that errors
always propagate (with high probability, of course) then you can have
authentication cheaply - in comparison to the already high cost of
biIGE, that is.

Thanks!

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list