In section 5.2, Page 12, need to add a paragraph saying: Note: Be careful in your implementation. The least significant bit of the tweak value in this encoding is the right-most bit, which is different than the encoding used in the Galois multiply (section 4.1), where the least significant bit is the left-most bit.
Rationale: The implementation, as demonstrated by example "LRW-AES with 32-byte key material applied to 33-byte cleartext" on Page 20 is confusing. For the purposes of the Galois multiply, we considered the I-value (the tweak value) to have its least significant bit at the left. For the increment from one cipher block to the next, we treat that value with the least significant bit on the right. At the very least, this seems very likely to lead to implementation difficulties. It also seems to contradict the optimization presented on page ...Garry McCracken / Rob Ewan
