IGE mode is broken (Re: IGE mode in OpenSSL)

[James A. Donald]

Typo:

James A. Donald wrote:
> Let P(k) be the kth block of plain text.  We prepend a
> random block, P(0) to the text, and append a fixed block
> to the end.  If anything is altered, the fixed block at
> the end will not contain the expected data, but will be
> gibberish.
> 
> The adversary knows every block in the plain text
> message except our P(0).  He can intercept and change
> the encrypted message.  He wishes to modify the message
> so that the intended recipient receives something
> different from the message that the adversary knows he
> should receive without the intended recipient realizing
> something is wrong.
> 
> Let W(k) = P(k) + W(k-1) + W(k-1)&{W(k-1)}
> 
> Where & means bitwise and, and + means addition modulo 2
> to the block size.
> 
> W(0) = P(0) (our random block, unknown to the adversary
> or the recipient, and changing with every message.)
> 
> {} means encryption, {W(k-1)} is the block we get by
> encrypting W(k-1)
> 
> We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
> means bitwise or, curly brace means encryption.

Should read:

We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means encryption.

> W(-1) is zero.
> 
> The adversary knows P(k), except for P(0), and can
> intercept all transmitted values T(k).
> 
> Because the combination of addition and bitwise logical
> operations is non linear, this method gets through a
> loophole in Jutla's proof in
> http://eprint.iacr.org/2000/039


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com