Adam Back wrote:
> On Sat, Sep 09, 2006 at 09:39:04PM +0100, Ben Laurie wrote:
>>> There is some more detail here:
>> Interesting. In fact, Gligor et al appear to have proposed IGE rather
>> later than this date (November 2000).
> Well looking at the paper by Gligor in their mode submission to NIST
> on IGE, it appears rather that our FREE-MAC was a re-invention of IGE!
> Apparently according to Gligor IGE was proposed by Carl Campbell in
> Feb 1977, about the same time as CBC mode was proposed.  Gligor et al
> wrote the mode-submission for IGE in Nov 2000.
>> I may have misunderstood the IGE paper, but I believe it includes proofs
>> for error propagation in biIGE. Obviously if you can prove that errors
>> always propagate (with high probability, of course) then you can have
>> authentication cheaply - in comparison to the already high cost of
>> biIGE, that is.
> I am not sure about the proofs in the IGE-spec paper, but at least the
> proofs about IGE at least must be flawed somehow because the sci.crypt
> post shows a a class of known plaintext modifications that exhibits
> error recovery.

Indeed, and you'll find this attack (or a similar one) in the proof of
Lemma 4 ("the schemes IGE$-z0 and IGE$-c are not EF-CPA, PU-CPA, PI-CPA,
and NM-CPA secure"), so I don't think you can cite them as flaws :-)

> I worked through it on paper at the time, and as far
> as I can see it trivially breaks IGE/FREE-MAC.  No doubt there are
> other variations so there are lots of permutations you can do in
> rearranging the ciphertext such that the "integrity check" still
> passes.

Note that I was talking about biIGE, not IGE. IGE is indeed broken under
many attack types, and the paper acknowledges that.


"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to