Landon Noll wrote:
[...] In proposing any cryptographic process, it is important to analyze the strengths and weaknesses the proposal. This information must be presented so that current and future readers can better evaluate the adequacy of the standard to this given environment / application.
I fully agree, but still contend that talking about how many bits are leaked after 2^64 blocks is utterly irrelevant to assessing the security of LRW (or GCM, or any other mode for that metter). There is a common rule-of-thumb saying that you should not be using a single AES key for more than something like 2^40 or 2^50 blocks. After that, the fact that AES is a permutation (rather than a random function) starts to be noticable. We may want to mention this somewhere in the standard. But this is not because of LRW specifically, it applies to most (if not all) modes-of-operation that use a cipher with 128-bit blocks. And I don't think that the standard should discuss what can go wrong when using the same key for too many blocks. There are many many things that can go wrong, but for me it suffices that the provable bounds of security deteriorate at this point. -- Shai