IGE mode is broken (Re: IGE mode in OpenSSL)

James A. Donald jamesd at echeque.com
Sun Sep 24 06:51:06 EDT 2006


On 9/9/06, Adam Back <adam at cypherspace.org> wrote:
> > IGE if this description summarized by Travis is correct, appears to be
> > a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> > However the FREE-MAC mode (below described as IGE) was broken back in
> > Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
> > you do not use it.  There are simple attacks which allow you to
> > manipulate ciphertext blocks with XOR of a few blocks and get error
> > recovery a few blocks later; and of course with free-mac error
> > recovery means the MAC is broken, because the last block is
> > undisturbed.
> > 
> > http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st 

Travis H. wrote:
> I don't see why integrity+confidentiality has to cost n log n
> operations.  I haven't read the whole paper yet (and the proof is at
> the end)

The idea is to costlessly piggy back integrity on top of confidentiality 
is to have error propagation, so that any fiddling with the message will 
cause all packets after the fiddling to be random noise.

Unfortunately, if this is done with linear operations, it can be undone 
with linear operations.  If it is done with non linear operations (my 
recommendation), it is hard to prove anything.

 > Or are universal hashes
> considered cryptographic-weight primitives, and thus this constitutes
> a "second pass" over the plaintext? 

Yes.

The idea is to get integrity for free, but unfortunately so many 
integrity-for-free schemes have come undone, making people suspicious.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list