Determine interest: AES with IGE mode?

[Ben Wiederhake]

Hello,

>> Personally, I now have the choice between implementing it only for
>> libtgl, or implementing it for libgcrypt.
>
> While this is very interesting it does lack some use cases, like, why would
> someone want to use this instead of CBC.

No idea. I don't really see the point of IGE. I'm not a 
crypto-specialist or anything.

I don't propose this in order to have a "new fancy whatever" in 
libgcrypt, but in order to fill-in a hole. libgcrypt is a near-drop-in 
replacement for OpenSSL, but AES_IGE is missing.

> Also, some notes on your PDF dissertation:

I didn't write that dissertation, and think that it is confusing the 
topics of authentication and encryption, and handles both of them 
half-heartedly; instead of properly handling them separately with 
well-known, pre-existing cryptographic building blocks.

> - You claim it corrupts plaintext on any error in ciphertext, can you provide
>   some proof over that.

I didn't write that dissertation, and therefore don't claim it.

However, there is a good argument for this claim: The old ciphertext is 
part of the IV for the next block, thus affecting the encryption of 
*everything* after it in the stream.

> - The IGE mode of operation could be explained better, at the moment it's
>   quite terse. Same goes for BIGE.

Yup.

But people out there have to implement algorithms and protocols that use 
AES_IGE. We're restricted to GPL-compatible software, and there is 
literally nothing out there providing AES_IGE while being GPL-compatible.

I want to change that, by pushing AES_IGE into libgcrypt.

> - "Note that the second part of this chaining sequence appears to be
>   incorrectly specified in the original paper.", can you elaborate on
>   this claim?

If one implements the algorithm as-is from the [1] paper, the results 
differ from the results given as test vectors.

If I change the assumed order (see my gist [2]), everything works out.

I have generated additional test vectors (see my gist [2]) using 
OpenSSL, always with the same result.

> - is there any research done on this algorithm other than that one paper
>   wrote by Donescu and Gligor in 2000?

Good question. Just like I already said in my first mail on this topic:

"Barely anyone uses [IGE], but those who do (e.g. implementors of the 
Telegram Protocol, i.e., libtgl) usually have no other choice."

If there are any concrete concerns about security, it may be worth to 
put it into libgcrypt as deprecated. Then:
- People who desparately need AES_IGE (like us) have access to it.
- People who don't really require it can see that it is deprecated.

With regards,
Ben Wiederhake

[1]: http://www.links.org/files/openssl-ige.pdf
[2]: https://gist.github.com/BenWiederhake/3c4f5923928be8a34da6