> This document discusses ways to attack LRW through algebraic weaknesses in
> the Galois Multiplier. This attack becomes strong if Key2 (K2) looks
> similar to the plaintext (e.g. if K2 is an ASCII password). The result of
> this attack is to leak 128-bits of plaintext for each detected collision
> (similar to ECB mode). A covert channel within LRW is discussed.
> Lastly, an alternative mode is proposed that eliminates these weaknesses.
Matt Ball's alternative mode has merit and should be given some consideration.
Regarding Shai's comment:
> I strongly disagree that these are security issues. LRW (like pretty much
> every crypto algorithm) needs random keys. If you use it with keys that
> are not random, you deserve what's coming to you. There are many
> established ways to derive cryptographic keys, and all of them are
> adequate also for LRW.
Needing random keys is insufficient in my opinion. Simply saying "pick keys at random" is not a solution if weak keys under the current LRW proposal exist. An advantage of Matt Bell’s proposal is that this potential weak key issue is bypassed.
chongo (Landon Curt Noll) /\oo/\
