IGE mode is broken (Re: IGE mode in OpenSSL)
Adam Back
adam at cypherspace.org
Sat Sep 9 10:01:31 EDT 2006
Hi Ben, Travis
IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier by Gligor, Donescu and Iorga. I recommend
you do not use it. There are simple attacks which allow you to
manipulate ciphertext blocks with XOR of a few blocks and get error
recovery a few blocks later; and of course with free-mac error
recovery means the MAC is broken, because the last block is
undisturbed.
There is some more detail here:
http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
Adam
On Mon, Sep 04, 2006 at 04:28:51PM -0500, Travis H. wrote:
> Nevermind the algorithm, I saw the second PDF.
>
> For the other readers, the algorithm in more
> standard variable names is:
>
> c_i = f_K(p_i xor c_(i-1)) xor p_(i-1)
>
> IV = <p_(-1), c_(-1)>
>
> I suppose the dependency on c_(i-1) and p_(i-1) is the part that
> prevents the attacker from predicting and controlling the garble.
> --
> "If you're not part of the solution, you're part of the precipitate."
> Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list