[41908] in cryptography@c2.net mail archive
Re: IGE mode is broken (Re: IGE mode in OpenSSL)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Sun Sep 10 11:19:17 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 09 Sep 2006 21:39:04 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Adam Back <adam@cypherspace.org>
Cc: "Travis H." <solinym@gmail.com>,
Cryptography <cryptography@metzdowd.com>,
Anton Stiglic <stiglic@cs.mcgill.ca>
In-Reply-To: <20060909140131.GA9515@bitchcake.off.net>
Adam Back wrote:
> Hi Ben, Travis
>
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and Iorga. I recommend
> you do not use it. There are simple attacks which allow you to
> manipulate ciphertext blocks with XOR of a few blocks and get error
> recovery a few blocks later; and of course with free-mac error
> recovery means the MAC is broken, because the last block is
> undisturbed.
>
> There is some more detail here:
>
> http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
Interesting. In fact, Gligor et al appear to have proposed IGE rather
later than this date (November 2000).
In any case, I am not actually interested IGE itself, rather in biIGE
(i.e. IGE applied twice, once in each direction), and I don't care about
authentication, I care about error propagation - specifically, I want
errors to propagate throughout the plaintext.
In fact, I suppose I do care about authentication, but in the negative
sense - I want it to not be possible to authenticate the message.
These properties are needed for the Minx protocol.
So, I mentioned the authentication properties in passing. It is,
however, good to know they don't work! And I love the more general
result in the paper mentioned (http://eprint.iacr.org/2000/039/).
I may have misunderstood the IGE paper, but I believe it includes proofs
for error propagation in biIGE. Obviously if you can prove that errors
always propagate (with high probability, of course) then you can have
authentication cheaply - in comparison to the already high cost of
biIGE, that is.
Thanks!
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
