Re: [P1619-2] Some text for the Introduction of 1619.2

[David McGrew <mcgrew@xxxxxxxxx>]

Hi Shai,

thanks for writing this up, comments inline:

On Oct 13, 2008, at 9:09 AM, Shai Halevi wrote:

> I put together a few paragraphs for the introduction of 1619.2. This
> text explains the relations between .2 and .0 (and in particular also
> the differences). It is, however, quite "dry" and technical, so it
> would be nice if people can propose 1-2 more sentences. Maybe  
> something
> about how the difference between .2 and .0 is expressed in potential
> applications?
>
> -- Shai
>
>
> Introduction:
>
> The purpose of this standard, similarly to IEEE-1619-2007, is to
> describe a method of encryption for data stored in sector-based  
> devices,
> where the threat model includes possible access to stored data by the
> adversary. As in IEEE-1619-2007, this standard specifies
> length-preserving encryption transforms to be applied to the plaintext
> sector before storing it on the storage media.
>
> Differently from IEEE-1619-2007,

I suggest replacing the above with "This standard improves on  
IEEE-1619-2007; "

> the encryption transforms that are
> specified in this standard are "wide block encryption". This means  
> that
> they act on the whole sector at once, where

I suggest replacing "where" with "and".

> each bit on the input
> plaintext influences every bit of the output ciphertext (and vise- 
> versa
> for decryption). In particular, this standard specifies the EME2-AES  
> and
> the XCB-AES wide-block encryption transforms.
>
> Wide-block encryption can provide better protection than the
> narrow-block encryption from IEEE-1619-2007 against attacks that  
> involve
> traffic analysis and/or manipulations of ciphertext on the raw storage
> media.

I believe that a stronger statement than this is warranted, perhaps  
"Wide block encryption better hides plaintext statistics, and provides  
better protection ..."

best,

David