RE: p1619 (disk): Security concerns of LRW and an alternative mode

[Serge Plotkin]

Title: RE: p1619 (disk): Security concerns of LRW and an alternative mode

The proposal of using AES instead of GF multiply was discussed several years ago already. At that point the conclusion was that it does not buy us nearly anything but has higher implementation cost (GF multiply can be optimized for consecutive blocks). I did not hear anything new since these discussions.   -serge     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Landon Noll Sent: Thursday, December 22, 2005 5:17 PM To: SISWG Subject: RE: p1619 (disk): Security concerns of LRW and an alternative mode   > This document discusses ways to attack LRW through algebraic weaknesses in > the Galois Multiplier.  This attack becomes strong if Key2 (K2) looks > similar to the plaintext (e.g. if K2 is an ASCII password).  The result of > this attack is to leak 128-bits of plaintext for each detected collision > (similar to ECB mode).    A covert channel within LRW is discussed. > Lastly, an alternative mode is proposed that eliminates these weaknesses. Matt Ball's alternative mode has merit and should be given some consideration. Regarding Shai's comment: > I strongly disagree that these are security issues. LRW (like pretty much > every crypto algorithm) needs random keys. If you use it with keys that > are not random, you deserve what's coming to you. There are many > established ways to derive cryptographic keys, and all of them are > adequate also for LRW. Needing random keys is insufficient in my opinion.  Simply saying "pick keys at random" is not a solution if weak keys under the current LRW proposal exist.  An advantage of Matt Bell’s proposal is that this potential weak key issue is bypassed. chongo (Landon Curt Noll) /\oo/\