[42167] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: IGE mode is broken (Re: IGE mode in OpenSSL)

daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Sep 11 08:16:32 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 11 Sep 2006 06:33:59 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <4503F7E4.6030109@echeque.com>

Typo:

James A. Donald wrote:
> Let P(k) be the kth block of plain text.  We prepend a
> random block, P(0) to the text, and append a fixed block
> to the end.  If anything is altered, the fixed block at
> the end will not contain the expected data, but will be
> gibberish.
> 
> The adversary knows every block in the plain text
> message except our P(0).  He can intercept and change
> the encrypted message.  He wishes to modify the message
> so that the intended recipient receives something
> different from the message that the adversary knows he
> should receive without the intended recipient realizing
> something is wrong.
> 
> Let W(k) = P(k) + W(k-1) + W(k-1)&{W(k-1)}
> 
> Where & means bitwise and, and + means addition modulo 2
> to the block size.
> 
> W(0) = P(0) (our random block, unknown to the adversary
> or the recipient, and changing with every message.)
> 
> {} means encryption, {W(k-1)} is the block we get by
> encrypting W(k-1)
> 
> We transmit T(k)= {W(k)} + W(k-1)|{W(k-1)} where |
> means bitwise or, curly brace means encryption.

Should read:

We transmit T(k) = {W(k)} + ((~W(k-11){W(k-1)})
where ~ means bitwise negation, | means bitwise or,
curly brace means encryption.

> W(-1) is zero.
> 
> The adversary knows P(k), except for P(0), and can
> intercept all transmitted values T(k).
> 
> Because the combination of addition and bitwise logical
> operations is non linear, this method gets through a
> loophole in Jutla's proof in
> http://eprint.iacr.org/2000/039


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post