>>the difference [between LRW and EME] is the level of granularity. With 4KB LBA's the difference in granularity is 256 fold, not a trivial amount. I call 16-byte granularity very weak against traffic analysis, 4KB granularity somewhat weak. There are other alternatives, too, which are much better in this regard. I do not insist on reviving EME, especially because of the royalty issue. It can be prohibitively expensive at a volume of 100 million disk drives a year, we don't know the licensing conditions, so why should we spend our time on standardizing something we would never use?
Laszlo > -------- Original Message -------- > Subject: Re: wrong key behaviour > From: james hughes <[EMAIL PROTECTED]> > Date: Thu, December 22, 2005 8:00 pm > To: [EMAIL PROTECTED] > Cc: james hughes <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > On Dec 22, 2005, at 7:32 PM, [EMAIL PROTECTED] wrote: > > >>> a "wrong key behavior" can be beyond the scope > > The issue is rather: can the raw, encrypted data be read from the > > drive? > > Maybe, the standard could just say in the introduction that LRW is > > weak > > against traffic analysis, > > We know that LRW is vulnerable to a per 16 byte block code book > attack (active and passive). EME is vulnerable to a per sector code > book attack (again passive and active). So the difference is the > level of granularity. > > If you want EME or EME-like algorithm, make the proposal and we will > consider it on the P1619a round. > > Thanks > > jim
