Determine interest: AES with IGE mode?
Ben Wiederhake
ben.wiederhake at gmail.com
Tue Sep 29 17:31:58 CEST 2015
Hello,
>> Personally, I now have the choice between implementing it only for
>> libtgl, or implementing it for libgcrypt.
>
> While this is very interesting it does lack some use cases, like, why would
> someone want to use this instead of CBC.
No idea. I don't really see the point of IGE. I'm not a
crypto-specialist or anything.
I don't propose this in order to have a "new fancy whatever" in
libgcrypt, but in order to fill-in a hole. libgcrypt is a near-drop-in
replacement for OpenSSL, but AES_IGE is missing.
> Also, some notes on your PDF dissertation:
I didn't write that dissertation, and think that it is confusing the
topics of authentication and encryption, and handles both of them
half-heartedly; instead of properly handling them separately with
well-known, pre-existing cryptographic building blocks.
> - You claim it corrupts plaintext on any error in ciphertext, can you provide
> some proof over that.
I didn't write that dissertation, and therefore don't claim it.
However, there is a good argument for this claim: The old ciphertext is
part of the IV for the next block, thus affecting the encryption of
*everything* after it in the stream.
> - The IGE mode of operation could be explained better, at the moment it's
> quite terse. Same goes for BIGE.
Yup.
But people out there have to implement algorithms and protocols that use
AES_IGE. We're restricted to GPL-compatible software, and there is
literally nothing out there providing AES_IGE while being GPL-compatible.
I want to change that, by pushing AES_IGE into libgcrypt.
> - "Note that the second part of this chaining sequence appears to be
> incorrectly specified in the original paper.", can you elaborate on
> this claim?
If one implements the algorithm as-is from the [1] paper, the results
differ from the results given as test vectors.
If I change the assumed order (see my gist [2]), everything works out.
I have generated additional test vectors (see my gist [2]) using
OpenSSL, always with the same result.
> - is there any research done on this algorithm other than that one paper
> wrote by Donescu and Gligor in 2000?
Good question. Just like I already said in my first mail on this topic:
"Barely anyone uses [IGE], but those who do (e.g. implementors of the
Telegram Protocol, i.e., libtgl) usually have no other choice."
If there are any concrete concerns about security, it may be worth to
put it into libgcrypt as deprecated. Then:
- People who desparately need AES_IGE (like us) have access to it.
- People who don't really require it can see that it is deprecated.
With regards,
Ben Wiederhake
[1]: http://www.links.org/files/openssl-ige.pdf
[2]: https://gist.github.com/BenWiederhake/3c4f5923928be8a34da6
More information about the Gcrypt-devel
mailing list