IGE mode is broken (Re: IGE mode in OpenSSL)
Ben Laurie
ben at algroup.co.uk
Sat Sep 9 16:39:04 EDT 2006
Adam Back wrote:
> Hi Ben, Travis
>
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and Iorga. I recommend
> you do not use it. There are simple attacks which allow you to
> manipulate ciphertext blocks with XOR of a few blocks and get error
> recovery a few blocks later; and of course with free-mac error
> recovery means the MAC is broken, because the last block is
> undisturbed.
>
> There is some more detail here:
>
> http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
Interesting. In fact, Gligor et al appear to have proposed IGE rather
later than this date (November 2000).
In any case, I am not actually interested IGE itself, rather in biIGE
(i.e. IGE applied twice, once in each direction), and I don't care about
authentication, I care about error propagation - specifically, I want
errors to propagate throughout the plaintext.
In fact, I suppose I do care about authentication, but in the negative
sense - I want it to not be possible to authenticate the message.
These properties are needed for the Minx protocol.
So, I mentioned the authentication properties in passing. It is,
however, good to know they don't work! And I love the more general
result in the paper mentioned (http://eprint.iacr.org/2000/039/).
I may have misunderstood the IGE paper, but I believe it includes proofs
for error propagation in biIGE. Obviously if you can prove that errors
always propagate (with high probability, of course) then you can have
authentication cheaply - in comparison to the already high cost of
biIGE, that is.
Thanks!
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list