IGE mode is broken (Re: IGE mode in OpenSSL)

Travis H. solinym at gmail.com
Sat Sep 23 01:08:56 EDT 2006


On 9/9/06, Adam Back <adam at cypherspace.org> wrote:
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
> you do not use it.  There are simple attacks which allow you to
> manipulate ciphertext blocks with XOR of a few blocks and get error
> recovery a few blocks later; and of course with free-mac error
> recovery means the MAC is broken, because the last block is
> undisturbed.

> http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st

I don't see why integrity+confidentiality has to cost n log n
operations.  I haven't read the whole paper yet (and the proof is at
the end), but I don't see why you can't append a universal hash
(chosen by a second key, or at random and identified in the plaintext
in some suitable way) of the input to the plaintext prior to
encryption, and get integrity for cheap.  Or are universal hashes
considered cryptographic-weight primitives, and thus this constitutes
a "second pass" over the plaintext?  I must admit I don't know of any
lower bound on universal hash complexity... wikipedia only mentions
f(x) = ax + b mod p, (p prime) which is clearly less heavy than modexp
and other PK algos, and it looks like you could do it incrementally
over the plaintext x, I think... my intuition tells me this is way
faster than a block cipher.
-- 
"On the Internet noone knows you're a dog - except Bruce Schneier."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list