[41709] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

IGE mode is broken (Re: IGE mode in OpenSSL)

daemon@ATHENA.MIT.EDU (Adam Back)
Sat Sep 9 14:31:13 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 9 Sep 2006 10:01:31 -0400
From: Adam Back <adam@cypherspace.org>
To: "Travis H." <solinym@gmail.com>
Cc: Ben Laurie <ben@algroup.co.uk>,
	Cryptography <cryptography@metzdowd.com>,
	Adam Back <adam@cypherspace.org>,
	Anton Stiglic <stiglic@cs.mcgill.ca>
In-Reply-To: <d4f1333a0609041428p1df996ew78cc0be69518cfed@mail.gmail.com>

Hi Ben, Travis

IGE if this description summarized by Travis is correct, appears to be
a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
However the FREE-MAC mode (below described as IGE) was broken back in
Mar 2000 or maybe earlier by Gligor, Donescu and Iorga.  I recommend
you do not use it.  There are simple attacks which allow you to
manipulate ciphertext blocks with XOR of a few blocks and get error
recovery a few blocks later; and of course with free-mac error
recovery means the MAC is broken, because the last block is
undisturbed.

There is some more detail here:

http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st

Adam

On Mon, Sep 04, 2006 at 04:28:51PM -0500, Travis H. wrote:
> Nevermind the algorithm, I saw the second PDF.
> 
> For the other readers, the algorithm in more
> standard variable names is:
> 
> c_i = f_K(p_i xor c_(i-1)) xor p_(i-1)
> 
> IV = <p_(-1), c_(-1)>
> 
> I suppose the dependency on c_(i-1) and p_(i-1) is the part that
> prevents the attacker from predicting and controlling the garble.
> -- 
> "If you're not part of the solution, you're part of the precipitate."
> Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
home help back first fref pref prev next nref lref last post