IGE mode is broken (Re: IGE mode in OpenSSL)
Kuehn, Ulrich
Ulrich.Kuehn at telekom.de
Wed Sep 13 06:41:12 EDT 2006
> -----Original Message-----
> From: Ben Laurie [mailto:ben at algroup.co.uk]
> Sent: Samstag, 9. September 2006 22:39
> To: Adam Back
> Cc: Travis H.; Cryptography; Anton Stiglic
> Subject: Re: IGE mode is broken (Re: IGE mode in OpenSSL)
>
[...]
>
> In any case, I am not actually interested IGE itself, rather
> in biIGE (i.e. IGE applied twice, once in each direction),
> and I don't care about authentication, I care about error
> propagation - specifically, I want errors to propagate
> throughout the plaintext.
>
> In fact, I suppose I do care about authentication, but in the
> negative sense - I want it to not be possible to authenticate
> the message.
>
Do I understand correctly? You do want that nobody is able to authenticate a message, however, it shall not be intelligible if manipulated with?
Or do you want that the authentication test fails if the message has been tampered with?
>
> I may have misunderstood the IGE paper, but I believe it
> includes proofs for error propagation in biIGE. Obviously if
> you can prove that errors always propagate (with high
> probability, of course) then you can have authentication
> cheaply - in comparison to the already high cost of biIGE, that is.
>
I you want authentication, then authenticate. Use something with known security properties. So instead of running over the plaintext twice like with forward/backward IGE, try something like EAX, which is essentially counter mode with CBC-MAC for explicit authentication. Comes with proofs of security.
But then, maybe I did not understand your problem (see above).
Regards,
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list