> -----Original Message----- > From: Ben Laurie [mailto:[EMAIL PROTECTED] > Sent: Samstag, 9. September 2006 22:39 > To: Adam Back > Cc: Travis H.; Cryptography; Anton Stiglic > Subject: Re: IGE mode is broken (Re: IGE mode in OpenSSL) > [...] > > In any case, I am not actually interested IGE itself, rather > in biIGE (i.e. IGE applied twice, once in each direction), > and I don't care about authentication, I care about error > propagation - specifically, I want errors to propagate > throughout the plaintext. > > In fact, I suppose I do care about authentication, but in the > negative sense - I want it to not be possible to authenticate > the message. >
Do I understand correctly? You do want that nobody is able to authenticate a message, however, it shall not be intelligible if manipulated with? Or do you want that the authentication test fails if the message has been tampered with? > > I may have misunderstood the IGE paper, but I believe it > includes proofs for error propagation in biIGE. Obviously if > you can prove that errors always propagate (with high > probability, of course) then you can have authentication > cheaply - in comparison to the already high cost of biIGE, that is. > I you want authentication, then authenticate. Use something with known security properties. So instead of running over the plaintext twice like with forward/backward IGE, try something like EAX, which is essentially counter mode with CBC-MAC for explicit authentication. Comes with proofs of security. But then, maybe I did not understand your problem (see above). Regards, Ulrich --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]