Shai, >> Therefore, it is not true, that the plaintext is *randomized*, >> contrary to the common believes.
> This last sentence is plain wrong. > The plaintext is randomized, over a set whose size is 2^n-1 > ... you will never get the original plaintext back. Despite of your vehement denial, we say exactly the same thing. Changing the ciphertext makes the deciphered plaintext different. This gives you exactly one bit information: change happened. A true randomization would give you 0 information. (Of course, for very high probability I could still tell if there was a change.) You completely misunderstood the attack. I did not say I would learn anything meaningful about the plaintext, but this one bit makes the encryption malleable. To repeat the main points of the first attack: if, in the first block there is a test, checking if the second block is 0, any change of the second 16-byte ciphertext block will make this test fail, so another branch will be taken. If I convinced you to store this file, and soon after that I can access your disk, I will be able to change the file to another valid one, as I prepared to take advantage of this manipulation. And there is the backdoor opening attack, too. LRW-AES is malleable in this sense. Authentication or access control would prevent this, but they are explicitly denied. I did not say, either, that LRW-AES has a special weakness, because any encryption scheme under the above restrictions will be similarly malleable. But it was misleading to suggest that LRW-AES protects fully against ciphertext manipulation attacks. Laszlo > -------- Original Message -------- > Subject: Re: Shared media for LRW means shared cryypto access > From: Shai Halevi <[EMAIL PROTECTED]> > Date: Wed, May 24, 2006 2:21 pm > To: SISWG <[EMAIL PROTECTED]> > > [EMAIL PROTECTED] wrote: > > [...] However, being a one-to-one > > mapping, one important manipulation is still possible: changing the > > ciphertext will cause the deciphered plaintext to be different. > > Therefore, it is not true, that the plaintext is *randomized*, > > contrary to the common believes. > > This last sentence is plain wrong. > > The plaintext is randomized, over a set whose size is 2^n-1 instead of > 2^n. You will never detect the difference between this and a set of size > 2^n in your lifetime. Put in other words, even if this was truly random > (rather than "truly random but different than the original text" as > it is in LRW) you will never get the original plaintext back. For all > intents and purposes the plaintext is randomized. > > >> Because of the environment being protected, there was the additional > >> requirement that LRW be length-preserving. > > > > I don't think this requirement has anything to do with environment > > protection ;-) . It is only a practical convenience, and its importance > > is controversial. > > I fully agree here. There may be cases where length-preserving encryption > is absolutely needed, but I'm very skeptical about there being many such > cases. > > -- Shai
