David Wagner <[EMAIL PROTECTED]> writes: >That is indeed an interesting requirement, and one that seems to legitimately >rule out a number of existing modes of operation for IEEE P1619.
>From reading through the followup discussions, I think there's a strong desire to not standardise something that's very brittle (think RC4). For example in a later followup the same person who pointed out the LRW issues thought that one widely-deployed implementation, TrueCrypt, might have fallen into this trap. Luckily it didn't, but it was a sign that LRW may be just a bit too brittle to safely deploy, particularly when the intended audience is embedded systems and ASIC engineers and not cryptographers. So the current recommendation is to go to XTS (sometimes, confusingly, referred to as XEX), which can be implemented using existing IP blocks developed for AES-GCM. There are already several vendors shipping IP for AES-XTS. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
