IGE mode is broken (Re: IGE mode in OpenSSL)

 

> -----Original Message-----
> From: Ben Laurie [mailto:benalgroup.co.uk] 
> Sent: Samstag, 9. September 2006 22:39
> To: Adam Back
> Cc: Travis H.; Cryptography; Anton Stiglic
> Subject: Re: IGE mode is broken (Re: IGE mode in
OpenSSL)
> 
[...]
> 
> In any case, I am not actually interested IGE itself,
rather 
> in biIGE (i.e. IGE applied twice, once in each
direction), 
> and I don't care about authentication, I care about
error 
> propagation - specifically, I want errors to propagate 
> throughout the plaintext.
> 
> In fact, I suppose I do care about authentication, but
in the 
> negative sense - I want it to not be possible to
authenticate 
> the message.
> 

Do I understand correctly? You do want that nobody is able
to authenticate a message, however, it shall not be
intelligible if manipulated with? 

Or do you want that the authentication test fails if the
message has been tampered with?

> 
> I may have misunderstood the IGE paper, but I believe
it 
> includes proofs for error propagation in biIGE.
Obviously if 
> you can prove that errors always propagate (with high 
> probability, of course) then you can have
authentication 
> cheaply - in comparison to the already high cost of
biIGE, that is.
> 

I you want authentication, then authenticate. Use something
with known security properties. So instead of running over
the plaintext twice like with forward/backward IGE, try
something like EAX, which is essentially counter mode with
CBC-MAC for explicit authentication. Comes with proofs of
security.

But then, maybe I did not understand your problem (see
above).

Regards,
Ulrich

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Kuehn, Ulrich wrote:
> 
> 
>> -----Original Message----- From: Ben Laurie
>> [mailto:benalgroup.co.uk] Sent: Samstag, 9. September
2006 22:39 
>> To: Adam Back Cc: Travis H.; Cryptography; Anton
Stiglic Subject:
>> Re: IGE mode is broken (Re: IGE mode in OpenSSL)
>> 
> [...]
>> In any case, I am not actually interested IGE
itself, rather in
>> biIGE (i.e. IGE applied twice, once in each
direction), and I don't
>> care about authentication, I care about error
propagation -
>> specifically, I want errors to propagate throughout
the plaintext.
>> 
>> In fact, I suppose I do care about authentication,
but in the 
>> negative sense - I want it to not be possible to
authenticate the
>> message.
>> 
> 
> Do I understand correctly? You do want that nobody is
able to
> authenticate a message, however, it shall not be
intelligible if
> manipulated with?

Correct. Minx (which is the only place I use IGE) avoids
traffic marking
attacks in two ways:

a) all messages are "correct"

b) any attempt to mark a message results in its complete
corruption

See the Minx paper, http://www.apache
-ssl.org/minx.pdf.

> Or do you want that the authentication test fails if
the message has
> been tampered with?

No.

Cheers,

Ben.

-- 
http://www.apache-
ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he
can go if he
doesn't mind who gets the credit." - Robert Woodruff

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com