Some comments:
* The references throughout the document to "keyset" and "key pair"
encourage discussions such as we've seen before about "what if K2 is
chosen that way and K1 is chosen this way". Also, I don't know to what
extent the sentence in section 4.3.1 (page 11)
Key1 and Key2 should be chosen according to the methods described
in [R2] and Key1 should be independent of Key2
is understandable or accurate. For one thing, I didn't find [R2] anywhere
in the document. But more to the point, if I use a "NIST blessed" method
to choose a 32-byte key K and then set
Key1 = 1st-16-bytes and Key2 = last-16-bytes
would that be compliant with the requirement that Key1 is independent
of Key2?
I attach at the end of this letter a proposal for alternate wording that
refers to the LRW key as one key (of 32, 40 or 48 bytes) with Key1 and
Key2 derived from it.
* Section 1.1 (page 5), 1st paragraph after the enumerated list, last
sentence says "... without greatly expanding the number of keys". I do
not understand what this refers to.
* Next paragraph: In the literature, what's called the "tweak" is the
known value that is used as input to the transform (in our case, the
position of the current block, or the variable i). But that paragraph
says "the tweak value is computed from the secondary key and the logical
position...", talking about the variable T. (This needs to be fixed
throughout the document.)
* Last paragraph on page 5: I suggest the following alternate wording:
This standard also contains a description of a key-export format. The
goal is to ensure that a standard-complaint device that encrypts data
using LRW-AES can export the key in a way that another standard-complaint
device can later import the same key and decrypt the data.
* Section 3.5: add the concatenation symbol '|' (used in 4.1)
* Section 4.1, 2nd paragraph, the concatenation symbol '|' looks like a '1'
* Section 4.2 should either be moved before 4.1 or to an appendix. It
is confusing to have it where it is now. Also, replace G with GF(2^128)
everywhere. Also, that section still uses dot rather than 'x' for
multiplication.
* There are two "Table 6", one in section 6.1.4 and one in 6.1.5
* Section 6.3, 2'nd item:
... The cryptographic strength of wrapping keys should be equivalent
to the strength of the storage encryption keys ...
change to "... at least equivalent ..."
-- Shai
Proposed alternate wording for "key set":
* Introduction, 2nd paragraph:
... uses AES block cipher as a subroutine. LRW-AES uses a key of length
32, 40, or 48 bytes (of which 16, 24, or 32 bytes, respectively, are
used to key the underlying AES block cipher). LRW-AES is a concrete
instantiation of ...
* Paragraph minus 4 on page 5:
... described in Theorem 2 of [LRW02]. The tweak value is computed from
the logical position ...
* Section 4.3.1
C = LRW-AES(Key, P, i)
where:
Key is the 32, 40, or 48 byte key
[...]
The Key should be chosen according to the methods described in
[put-correct-reference-here]. It is parsed by the transform as
Key = Key1 | Key2
where Key1 consists of the first 16, 24, or 32 bytes of Key and is
used as the cipher key with the underlying AES block cipher, and Key2
consists of the last 16 bytes of Key.
* Similar changes in section 4.4.1
* Section 5.1, 1'st paragraph:
... To use this standard, a secret key consisting of 32, 40, or 48 bytes
shall be associated with ...
(and also replace "keyset" and "key pair" with "key" everywhere).
* Section 5.2:
The value of i is used as the tweak, as defined in [4.3, 44]. This value
is determined as follows:
Let j be ...
* Replace the structure of the "key-material description" (the second
Table 6) by the structure of Table 7 (and change the XML examples
accordingly).
