[42865] in cryptography@c2.net mail archive
RE: IGE mode is broken (Re: IGE mode in OpenSSL)
daemon@ATHENA.MIT.EDU (Kuehn, Ulrich)
Wed Sep 13 15:28:55 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Kuehn, Ulrich" <Ulrich.Kuehn@telekom.de>
To: ben@algroup.co.uk
Cc: cryptography@metzdowd.com
Date: Wed, 13 Sep 2006 12:41:12 +0200
> -----Original Message-----
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> Sent: Samstag, 9. September 2006 22:39
> To: Adam Back
> Cc: Travis H.; Cryptography; Anton Stiglic
> Subject: Re: IGE mode is broken (Re: IGE mode in OpenSSL)
>
[...]
>
> In any case, I am not actually interested IGE itself, rather
> in biIGE (i.e. IGE applied twice, once in each direction),
> and I don't care about authentication, I care about error
> propagation - specifically, I want errors to propagate
> throughout the plaintext.
>
> In fact, I suppose I do care about authentication, but in the
> negative sense - I want it to not be possible to authenticate
> the message.
>
Do I understand correctly? You do want that nobody is able to authenticate a message, however, it shall not be intelligible if manipulated with?
Or do you want that the authentication test fails if the message has been tampered with?
>
> I may have misunderstood the IGE paper, but I believe it
> includes proofs for error propagation in biIGE. Obviously if
> you can prove that errors always propagate (with high
> probability, of course) then you can have authentication
> cheaply - in comparison to the already high cost of biIGE, that is.
>
I you want authentication, then authenticate. Use something with known security properties. So instead of running over the plaintext twice like with forward/backward IGE, try something like EAX, which is essentially counter mode with CBC-MAC for explicit authentication. Comes with proofs of security.
But then, maybe I did not understand your problem (see above).
Regards,
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com