Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [P1619-2] another P1619.2 question: the EME2 mix function

Let's briefly discuss this at this Wednesday's SISWG meeting.  I seem to recall that the point was brought up and discussed at the P1619.2 face-to-face meeting in San Diego a couple years ago, and the general consensus was that you should avoid encrypting an amount that is near the birthday bound of the underlying block cipher (AES).


On Mon, Mar 22, 2010 at 5:17 PM, Laszlo Hars wrote:

There might be a problem with EME2. Its mixing layer does not seem to be very secure:


If the XOR of all the ciphertext blocks PPPi of top layer of encryptors happens to be the same at two sets of input plaintext blocks, the mix value M1 remains also the same, and so each XORed value M1*a^i in the mix layer also remains the same. This happens at 50% chance among 2^64 encryption operations. Thus, if we keep the P2...Pk plaintext blocks constant for some k≤m<129, and vary the others, after 2^64 random tries we find two sets of input at 50% chance such that the corresponding ciphertext blocks C2...Ck are identical. It distinguishes EME2 from a random permutation. (When varying the address of the target sector T* would change pseudo randomly. It is just XORed to the PPPs, which does not affect the random search.)


A modern disk drive contains 2TB/512 ~= 2^32 sectors, which are filled up pretty soon. There are close to 10^9 ~= 2^30 encrypting disk drives manufactured a year, and so some user somewhere will find this strange situation with equal C2...Ck blocks with non-negligible probability.


Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Principal Software Engineer, Oracle USA, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717