Hi Jim,
On Dec 14, 2005, at 9:13 AM, [EMAIL PROTECTED] wrote:
Can the LRW-AES algorithm be used for authenticated encryption
for tapes?
With a superficial look, it seems like the following authentication
scheme works.
C_i = LRW-AES( K1, K2, P_i, i )
MAC = LRW-AES( K1, K2, CHECKSUM( P_0 ... P_n ), (n+1) )
Obviously the key can't be reused since two encrypted data sets with
the same key can be cut and mixed to produce a third that passes
authentication.
If I understand you correctly, then this MAC is vulnerable whenever
there is known plaintext. If an attacker can substitute one
ciphertext block C_j for another value C'_j, such that the
corresponding plaintext values P_j and P'_j both make the same
contribution to the checksum, then the MAC would be unable to detect
this modification. In general, an attacker could manipulate multiple
blocks as well. If the checksum is unkeyed, then the attacker will
very often be able to manipulate the checksum value by manipulating
ciphertext, assuming of course that the attacker has knowledge about
the plaintext blocks.
I've assumed here that the attacker is able to observe multiple
plaintext/ciphertext values that occur *at the same location* on the
disk or tape. It is probably safest to assume this, though in
practice our biggest threat may not be the attacker who can observe
the disk or tape for a long period of time.
This algorithm is fully parallelizable and requires fewer gates for
hardware implementation of the GF multiplication than the proposed
GCM mode.
Do you mean because the LRW multiply can be implemented in a smaller
circuit, since it is invoked only at the beginning of an encrypt
operation, and a separate circuit is used to compute the "offset"
values?
David
Also, the decrypted MAC will be a checksum which will catch any bit
errors that
might occur within the AES logic block. This does not seem to be the
case for GCM.
Sorry if I am overlooking anything stupid.
