analysis and implementation of LRW
David Wagner
daw at cs.berkeley.edu
Mon Jan 22 19:22:32 EST 2007
Jim Hughes writes:
>The IEEE P1619 standard group has dropped LRW mode. It has a
>vulnerability that that are collisions that will divulge the mixing
>key which will reduce the mode to ECB.
This is interesting. Could you elaborate on this? I suspect we could
all learn from the work the IEEE P1619 working group is doing.
I tried to trawl the P1619 mailing list archives to find some detailed
analysis on the topic of collisions, as you suggested, but I probably
wasn't looking in the right places. The closest I found was this message:
http://grouper.ieee.org/groups/1619/email/msg01322.html
which estimates that if one continuously accesses the disk for 4.6
years (roughly the average life time of a disk), the chances of seeing
a collision are about 1/2^29. Is that the analysis that triggered the
concern over collisions?
Are there modes that beat the birthday bound on collisions while using
a 128-bit block cipher? Are they proven secure beyond the birthday bound?
I'm a little behind on the latest developments in modes of operation.
It would be interesting to hear more about any interesting technical
developments from the P1619 group.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list