> -----Original Message-----
> From: Ben Laurie [mailto:[EMAIL PROTECTED] 
> Sent: Samstag, 9. September 2006 22:39
> To: Adam Back
> Cc: Travis H.; Cryptography; Anton Stiglic
> Subject: Re: IGE mode is broken (Re: IGE mode in OpenSSL)
> In any case, I am not actually interested IGE itself, rather 
> in biIGE (i.e. IGE applied twice, once in each direction), 
> and I don't care about authentication, I care about error 
> propagation - specifically, I want errors to propagate 
> throughout the plaintext.
> In fact, I suppose I do care about authentication, but in the 
> negative sense - I want it to not be possible to authenticate 
> the message.

Do I understand correctly? You do want that nobody is able to authenticate a 
message, however, it shall not be intelligible if manipulated with? 

Or do you want that the authentication test fails if the message has been 
tampered with?

> I may have misunderstood the IGE paper, but I believe it 
> includes proofs for error propagation in biIGE. Obviously if 
> you can prove that errors always propagate (with high 
> probability, of course) then you can have authentication 
> cheaply - in comparison to the already high cost of biIGE, that is.

I you want authentication, then authenticate. Use something with known security 
properties. So instead of running over the plaintext twice like with 
forward/backward IGE, try something like EAX, which is essentially counter mode 
with CBC-MAC for explicit authentication. Comes with proofs of security.

But then, maybe I did not understand your problem (see above).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to