[Cryptography] mode of operation for file encryption

sebastien riou 2357bc at gmail.com
Wed Sep 2 11:09:14 EDT 2015

> Your made-up mode is: C = AES-ECB(k, P xor IV xor BlockIndex)
> If (P_i xor i) = (P_j xor j), then C_i = C_j. If someone sees any
> identical output blocks, they learn (P_i xor P_j) = (i xor j). That's
> information about the plaintext.
> If you don't see any identical blocks of output, you also learn that
> no pairs of plaintext satisfy that relationship. Again, that's
> information about the plaintext.

Right!! Thanks for pointing that out.

That explain the GF128 multiplication and the first xor in XEX: there
is need for a good mixing of the block index with some additional
secret key material before xoring the plain text.

But now I am wondering, what value the final xor in XEX is adding ? (I
don't question that it should be done, its cost is really
insignificant compared to the GF128 multiplication, just curious about
which twisted attack it aims to prevent)

More information about the cryptography mailing list