IGE mode is broken (Re: IGE mode in OpenSSL)
James A. Donald
jamesd at echeque.com
Sun Sep 10 16:33:59 EDT 2006
Typo:
James A. Donald wrote:
> Let P(k) be the kth block of plain text. We prepend a
> random block, P(0) to the text, and append a fixed block
> to the end. If anything is altered, the fixed block at
> the end will not contain the expected data, but will be
> gibberish.
>
> The adversary knows every block in the plain text
> message except our P(0). He can intercept and change
> the encrypted message. He wishes to modify the message
> so that the intended recipient receives something
> different from the message that the adversary knows he
> should receive without the intended recipient realizing
> something is wrong.
>
> Let W(k) = P(k) + W(k-1) + W(k-1)&{W(k-1)}
>
> Where & means bitwise and, and + means addition modulo 2
> to the block size.
>
> W(0) = P(0) (our random block, unknown to the adversary
> or the recipient, and changing with every message.)
>
> {} means encryption, {W(k-1)} is the block we get by
> encrypting W(k-1)
>
> We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
> means bitwise or, curly brace means encryption.
Should read:
We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means encryption.
> W(-1) is zero.
>
> The adversary knows P(k), except for P(0), and can
> intercept all transmitted values T(k).
>
> Because the combination of addition and bitwise logical
> operations is non linear, this method gets through a
> loophole in Jutla's proof in
> http://eprint.iacr.org/2000/039
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list