Ben Laurie blathering

Infinite Garble Extension

I’ve just finished adding Infinite Garble Extension (IGE) mode for AES to OpenSSL.

IGE has the cute property that if you corrupt the ciphertext, then the plaintext is corrupted all the way from that point forwards – cryptographically corrupt, of course, so the plaintext is essentially unpredictable from the corruption forwards.

Why is this useful? One compelling reason is integrity checking. In order to be sure the received message is intact, I can simply append a block that is all zeroes. If, when I decrypt, the final block is not all zeroes, then I know the ciphertext has been tampered with. If it is all zeroes, then I know (to within a subatomic fraction) that the ciphertext is intact.

Another is Minx, a system for anonymising Internet traffic which defeats traffic marking attacks by making all packets valid, and all damage to packets comprehensive. Minx uses a variant on IGE, bi-directional IGE (biIGE), which spreads damage to the ciphertext over the whole plaintext. This is also implemented in OpenSSL.

I wrote a brief paper on OpenSSL’s implementation of IGE and biIGE modes. It includes test vectors.

Snapshots of OpenSSL 0.9.8 should include it, and the head will also have it shortly.


  1. Ben:

    1) I’m not sold on why this is better than CBC mode. CBC also gets corrupted if the ciphertext is changed. Could you explain?

    2) Appending zeros at the end of the stream gives the attacker some information to attack. Why not hash the data while encrypting (append it to the end) and compare it to a hash while decrypting?

    Comment by Ryan — 31 Aug 2006 @ 3:00

  2. 1) CBC corruption does not extend indefinitely, it repairs itself after two blocks.

    2a) By \”information to attack\” I presume you mean a crib. I can\’t get too excited about that, since brute force attacks are computationally infeasible.

    2b) In environments with limited processing power its much cheaper to do an exclusive or (which is the difference between IGE and CBC) than to compute a hash (I presume you meant an HMAC, btw, otherwise the hash is also a crib).

    Comment by Ben — 31 Aug 2006 @ 11:00

  3. This is good stuff, thank you Ben!

    Comment by Steve Lord — 9 Sep 2006 @ 2:09

  4. […] A while back I posted about IGE mode in OpenSSL. […]

    Pingback by Links » IGE Isn’t Good for Authentication — 9 Sep 2006 @ 22:24

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress