OpenSSL s Implementation of Infinite Garble Extension Version 0.1. Ben Laurie

Similar documents
CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

4. Specifications and Additional Information

Stream Ciphers and Block Ciphers

CIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Fundamentals of Cryptography

CIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1

The cache is 4-way set associative, with 4-byte blocks, and 16 total lines

Day 6: Triangle Congruence, Correspondence and Styles of Proof HOMEWORK

Enhanced Play Fair Cipher

Triple DES and AES 192/256 Implementation Notes

Stream Ciphers and Block Ciphers

One subset of FEAL, called FEAL-NX, is N round FEAL using a 128-bit key without key parity.

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

APPLESHARE PC UPDATE INTERNATIONAL SUPPORT IN APPLESHARE PC

Gateway Ascii Command Protocol

C1098 JPEG Module User Manual

ECHO Process Instrumentation, Inc. Modbus RS485 Module. Operating Instructions. Version 1.0 June 2010

Experiments in musical similarity.

Transactions in Euclidean Geometry

UNH-IOL MIPI Alliance Test Program

Cryptanalysis of the Dragonfly Key Exchange Protocol

DBK24. Isolated Digital Output Chassis. Overview

July Registration of a Cyrillic Character Set. Status of this Memo

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

6.1 Combinational Circuits. George Boole ( ) Claude Shannon ( )

AIT 682: Network and Systems Security

Euclid. Father of Geometry Euclidean Geometry Euclid s Elements

Cryptanalysis of the GOST Hash Function

CIS-331 Final Exam Spring 2015 Total of 115 Points. Version 1

ZN-DN312XE-M Quick User Guide

Using block ciphers 1

First Data Dual Interface EMV Test Card Set. Version 1.20

Cryptanalysis of the GOST Hash Function

First Data EMV Test Card Set. Version 1.30

Acquirer JCB EMV Test Card Set

Geometry Ch 4 Practice Exam

First Data EMV Test Card Set. Version 2.00

ETSI TS V ( )

TLS 1.2 Protocol Execution Transcript

Name Date Class. Vertical angles are opposite angles formed by the intersection of two lines. Vertical angles are congruent.

Last name... You must show full analytical work to receive full credit, even on the multiple choice problems.

CIS-331 Final Exam Spring 2018 Total of 120 Points. Version 1

Digital Lighting Systems, Inc.

3. Given the similarity transformation shown below; identify the composition:

Orbit Corporation CISCO ASA LAN Based Active / Standby Failover. Waqas

Libero. Integrated Design Environment (IDE) Frequently Asked Questions

2-Type Series Pressurized Closures

6. Specifications & Additional Information

Digital Lighting Systems, Inc. CD400-DMX DMX512 Four Channel Dimmer and Switch module

Research Article A Student Information Management System Based on Fingerprint Identification and Data Security Transmission

SPAREPARTSCATALOG: CONNECTORS SPARE CONNECTORS KTM ART.-NR.: 3CM EN

CMSC 313 Lecture 03 Multiple-byte data big-endian vs little-endian sign extension Multiplication and division Floating point formats Character Codes

SPARE CONNECTORS KTM 2014

BROKER_COUNT FRAMEWORK_NAME BROKER_DISK

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

ENGI 4421 Counting Techniques for Probability Page Example 3.01 [Navidi Section 2.2; Devore Section 2.3]

6.1 Font Types. Font Types

VM7000A PAPERLESS RECORDER COMMUNICATION FUNCTION OPERATION MANUAL

LAP 1 TOOLS OF GEOMETRY VOCABULARY, THEOREMS AND POSTULATES

Acquirer JCB Dual Interface EMV Test Card Set

Symmetric key cryptography

Block Cipher Modes of Operation

Custom Identity Confirmation Process

Math 2 Unit 2 Notes: DAY 1 Review Properties & Algebra Proofs

CIS-331 Final Exam Spring 2016 Total of 120 Points. Version 1

Life is what you make it. Mr. H s dad

CHAPTER TWO. . Therefore the oblong number n(n + 1) is double the triangular number T n. , and the summands are the triangular numbers T n 1 and T n.

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

A Novel FPGA Implementation of AES-128 using Reduced Residue of Prime Numbers based S-Box

Hash Constant C Determinants leading to collisionfree

RS 232 PINOUTS. 1. We use RJ12 for all of our RS232 interfaces (Link-2-Modbus & Link-2-PC- Serial/RS232). The diagram below shows our pin out.

Workgroup Bridges with PEAP Authentication Configuration Example

SKBI Cryptocurrency Technical Seminar Series Seminar 1: Basics: Cryptography and Transactions

your answer in scientific notation. 3.0

not to be republishe NCERT CHAPTER 8 QUADRILATERALS 8.1 Introduction

Chapter 13, Sequence Data Mining

TEST DVD-VIDEO/ DVD-ROM For Checking DVD Players, DVD Recorders and DVD Drives TDH-940

First Data DCC Test Card Set. Version 1.30

SEC X.2: Recommended Elliptic Curve Domain Parameters

2. In general, dilations do not preserve distance so they are not rigid transformations. Dilations cause the size of the shape to change.

Name: Extra Midterm Review January 2018

Congruent Polygons and Congruent Parts

Block Cipher Modes of Operation

EDR Report Information

PCL ISO 8859/5 Latin/Cyrillic

ENGINEERING COMMITTEE Digital Video Subcommittee AMERICAN NATIONAL STANDARD ANIS/SCTE

Proving Triangles and Quadrilaterals Satisfy Transformational Definitions

A Specification for Rijndael, the AES Algorithm

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 02, FALL 2012

Secret Key Cryptography

Answer Key. 7.1 Forms of Ratios. Chapter 7 Similarity. CK- 12 Basic Geometry Concepts 1. Answers. 1. a) 4: 3. b) 5: 8. c) 6: 19. d) 6: 8: 5 2.

For all questions, E. NOTA means none of the above answers is correct. Diagrams are NOT drawn to scale.

CDR File Information. Comments Direct PCM

ORF 307: Lecture 14. Linear Programming: Chapter 14: Network Flows: Algorithms

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Transcription:

OpenSSL s Implementation of Infinite Garble Extension Version 0.1 Ben Laurie (ben@links.org) August 30, 2006

1 Introduction Infinite Garble Extension (IGE) is a block cipher mode[1]. It has the property that errors are propagated forward indefinitely. Bi-directional IGE (biige) propogates errors in both directions: that is, any change to the ciphertext will cause all of the plaintext to be corrupted. IGE and biige have some leeway in their definitions admitting several possible implementations. This paper documents the way I chose to implement them in OpenSSL, and also provides test vectors. It also points out some implementation details that may not be obvious from the original papers. 2 IGE mode IGE mode uses the following chaining sequence y i = f K (x i y i 1 ) x i 1 (1) where f K is the underlying block cipher encrypting function with key K, i runs from 1 to n, and n is the number of plaintext blocks. This means that for the first output block, y 1, we need two non-existent inputs, y 0 and x 0. These correspond to the initialisation vector (IV) in more traditional modes such as CBC. The implementation specified in the original paper keeps the IV to a single random block by using a second encryption key, K and setting where l is the block size, in bits. x 0 = {0, 1} l (2) y 0 = f K (x 0 ) (3) I decided to use a more general implementation where both x 0 and y 0 are provided by the user, rather than using a second key to derive y 0. The implementation is otherwise as described in the original paper. This is for three reasons, firstly it is more efficient if both blocks are chosen randomly, and secondly because the original implementation can be expressed in terms of OpenSSL s implemention but the opposite is not the case. The third reason is to do with the way block cipher modes are often implemented because it is possible to encrypt each block as it becomes available, rather than waiting until the entire plaintext is available, many implementations (including OpenSSL s) make it possible to encrypt partial plaintexts. The necessary chaining information is commonly stored in the memory which was used for the IV. This makes perfect sense, because on subsequent calls to the encryption (or decryption) function, the output is exactly as if the chaining information had, in fact, been provided as an IV. The implementation as described maintains this possibility, which the original implementation does not. 1

Note, however, that this makes the IV two blocks long, instead of the usual one block. OpenSSL uses the convention that the first block of the IV is x 0 and the second block is y 0. 3 Bi-directional IGE mode Again, I opted for the most general possible implementation of biige. The chaining sequence for biige is z i = f(x i z i 1 ) x i 1 (4) y i = f (z n i+1 y i 1 ) z n i+2 (5) where f and f are two encryption fuctions (typically the same cipher with different keys), n is the total number of plaintext blocks and i runs from 1 to n. Again this leaves various values to be provided by the user, namely x 0, z 0, y 0 and z n+1. Note that the second part of this chaining sequence appears to be incorrectly specified in the original paper. Unlike IGE mode, chaining between partial plaintexts is not feasible. Note that the IV is four blocks long, rather than the usual one. OpenSSL uses the convention that the first block of the IV is x 0, the second z 0, the third z n+1 and the fourth y 0. 4 Test vectors 4.1 AES IGE Mode Test Vector 1 Key 1A8519A6 557BE652 E9DA8E43 DA4EF445 3CF456B4 CA488AA3 83C79C98 B34797CB 4.2 AES IGE Mode Test Vector 2 Key 54686973 20697320 616E2069 6D706C65 2

6D656E74 6174696F 6E206F66 20494745 206D6F64 6520666F 72204F70 656E5353 99706487 A1CDE613 BC6DE0B6 F24B1C7A A448C8B9 C3403E34 67A8CAD8 9340F53B 4C2E204C 65742773 20686F70 65204265 6E20676F 74206974 20726967 6874210A 4.3 AES Bi-directional IGE Mode Test Vector 1 Key 1 Key 2 20212223 24252627 28292A2B 2C2D2E2F 30313233 34353637 38393A3B 3C3D3E3F 14406FAE A279F256 1F86EB3B 7DFF53DC 4E270C03 DE7CE516 6A9C2033 9D33FE12 4.4 AES Bi-directional IGE Mode Test Vector 2 Key 1 580a06e9 9707595c 9e19d2a7 bb402b7a c7d8119e 4c513575 64280f23 ad74ac37 Key 2 d180a031 47a31113 86269e6d ffaf7274 5ba23581 d2a63d21 677b58a8 18f972e4 803dbd4c e67b06a9 5335d57e 71c17070 749a0028 0cbf6c42 9ba4dd65 11777c67 fe760af0 d5c66e6a e75e4cf2 7e9ef920 0e546f2d 8a8d7ebd 48793799 ff2793a3 3

f1543dca feb5ef1c 4fa643f6 e64857f0 ee157fe3 e72fd02f 11957a17 00aba70b be44099c cdaca852 a18e7b75 bca4925a ab46d33a a0d5351c 55a4b3a8 4081a50b 42e52830 31c2a023 68494eb3 24599279 c1a5cce6 7653b1cf 208623e8 72559992 0d161c5a 2fcecb51 e267fa10 eccd3d67 a5e6f731 26b00d76 5e28dc7f 01c5a54c References [1] P. Donescu V. Gligor. Infinite garble extension, November 2000. 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback