Determine interest: AES with IGE mode?

Ben Wiederhake ben.wiederhake at gmail.com
Mon Sep 28 17:14:26 CEST 2015


Hello,

OpenSSL offers a cipher mode called "IGE" (Infinite Garble Extension), 
mainly for AES encryption. Barely anyone uses it, but those who do (e.g. 
implementors of the Telegram Protocol, i.e., libtgl) usually have no 
other choice.
AES with IGE mode is not available in libgcrypt (and from a lot of other 
crypto libraries), so libtgl is currently locked-in to OpenSSL due to that.

Personally, I now have the choice between implementing it only for 
libtgl, or implementing it for libgcrypt.

IGE mode is well explained in the (non-OpenSSL licensed) documentation 
from OpenSSL about that mode [1], and a bit more mathematically detailed 
in the original paper [2] (especially page 16), so:
- it is easily possible to implement it in not too many lines of code.
- there are definitely no conflicts with the GPL here, as there is no 
OpenSSL-licensed resource involved at all.

I'd love to see AES-IGE (specifically AES256-IGE) available for 
everyone, not just libtgl. But before I dig into libgcrypt and 
understand where I have to start adding the code, I'd like to know:

Is there any interest in having AES-IGE in libgcrypt?

As a kind of sales pitch, here's some arguments:
- You benefit: All other people who try to get away from OpenSSL now 
have one less obstacle in their way.
- We benefit: Instead of having a few non-crypto-savvy people work on a 
security-critical component, we could use a dedicated library; just like 
with other important things like SHA1, RSA etc.

So, what do you think?

With regards,
Ben Wiederhake

[1] http://www.links.org/files/openssl-ige.pdf
[2] 
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ige/ige-spec.pdf



More information about the Gcrypt-devel mailing list