Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[P1619-2] another P1619.2 question: the EME2 mix function



There might be a problem with EME2. Its mixing layer does not seem to be very secure:

 

If the XOR of all the ciphertext blocks PPPi of top layer of encryptors happens to be the same at two sets of input plaintext blocks, the mix value M1 remains also the same, and so each XORed value M1*a^i in the mix layer also remains the same. This happens at 50% chance among 2^64 encryption operations. Thus, if we keep the P2...Pk plaintext blocks constant for some k≤m<129, and vary the others, after 2^64 random tries we find two sets of input at 50% chance such that the corresponding ciphertext blocks C2...Ck are identical. It distinguishes EME2 from a random permutation. (When varying the address of the target sector T* would change pseudo randomly. It is just XORed to the PPPs, which does not affect the random search.)

 

A modern disk drive contains 2TB/512 ~= 2^32 sectors, which are filled up pretty soon. There are close to 10^9 ~= 2^30 encrypting disk drives manufactured a year, and so some user somewhere will find this strange situation with equal C2...Ck blocks with non-negligible probability.