Adam Back wrote: > Hi Ben, Travis > > IGE if this description summarized by Travis is correct, appears to be > a re-invention of Anton Stiglic and my proposed FREE-MAC mode. > However the FREE-MAC mode (below described as IGE) was broken back in > Mar 2000 or maybe earlier by Gligor, Donescu and Iorga. I recommend > you do not use it. There are simple attacks which allow you to > manipulate ciphertext blocks with XOR of a few blocks and get error > recovery a few blocks later; and of course with free-mac error > recovery means the MAC is broken, because the last block is > undisturbed. > > There is some more detail here: > > http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
Interesting. In fact, Gligor et al appear to have proposed IGE rather later than this date (November 2000). In any case, I am not actually interested IGE itself, rather in biIGE (i.e. IGE applied twice, once in each direction), and I don't care about authentication, I care about error propagation - specifically, I want errors to propagate throughout the plaintext. In fact, I suppose I do care about authentication, but in the negative sense - I want it to not be possible to authenticate the message. These properties are needed for the Minx protocol. So, I mentioned the authentication properties in passing. It is, however, good to know they don't work! And I love the more general result in the paper mentioned (http://eprint.iacr.org/2000/039/). I may have misunderstood the IGE paper, but I believe it includes proofs for error propagation in biIGE. Obviously if you can prove that errors always propagate (with high probability, of course) then you can have authentication cheaply - in comparison to the already high cost of biIGE, that is. Thanks! Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
