I’ve just finished adding Infinite Garble Extension (IGE) mode for AES to OpenSSL.
IGE has the cute property that if you corrupt the ciphertext, then the plaintext is corrupted all the way from that point forwards – cryptographically corrupt, of course, so the plaintext is essentially unpredictable from the corruption forwards.
Why is this useful? One compelling reason is integrity checking. In order to be sure the received message is intact, I can simply append a block that is all zeroes. If, when I decrypt, the final block is not all zeroes, then I know the ciphertext has been tampered with. If it is all zeroes, then I know (to within a subatomic fraction) that the ciphertext is intact.
Another is Minx, a system for anonymising Internet traffic which defeats traffic marking attacks by making all packets valid, and all damage to packets comprehensive. Minx uses a variant on IGE, bi-directional IGE (biIGE), which spreads damage to the ciphertext over the whole plaintext. This is also implemented in OpenSSL.
I wrote a brief paper on OpenSSL’s implementation of IGE and biIGE modes. It includes test vectors.
Snapshots of OpenSSL 0.9.8 should include it, and the head will also have it shortly.