analysis and implementation of LRW

Peter Gutmann pgut001 at
Tue Jan 23 20:51:54 EST 2007

David Wagner <daw at> writes:

>That is indeed an interesting requirement, and one that seems to legitimately
>rule out a number of existing modes of operation for IEEE P1619.

>From reading through the followup discussions, I think there's a strong desire
to not standardise something that's very brittle (think RC4).  For example in
a later followup the same person who pointed out the LRW issues thought that
one widely-deployed implementation, TrueCrypt, might have fallen into this
trap.  Luckily it didn't, but it was a sign that LRW may be just a bit too
brittle to safely deploy, particularly when the intended audience is embedded
systems and ASIC engineers and not cryptographers.  So the current
recommendation is to go to XTS (sometimes, confusingly, referred to as XEX),
which can be implemented using existing IP blocks developed for AES-GCM.
There are already several vendors shipping IP for AES-XTS.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list