Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

RE: p1619 (disk): Security level of LRW

To: "SISWG" <stds-p1619@xxxxxxxx>
Subject: RE: p1619 (disk): Security level of LRW
From: "Shai Halevi" <shaih@xxxxxxxxxxxx>
Date: Tue, 03 Jan 2006 22:31:04 -0500
Importance: Normal
In-reply-to: <DOEOJDODDOJAHAMKGGFKEECCCAAA.shaih@alum.mit.edu>
Sender: stds-p1619@xxxxxxxx

> > However, I believe it is not statistically
> > possible for an attacker to identify such a collision,
> 
> Of course there is. A collision is just as fatal, no matter what you
> use to process the I component.

Sorry, I forgot to say how you identify collisions: If you encrypt
(X,I) to get Z and encrypt (X',I') to get Z', then the condition 

  X xor X' = Z xor Z'

identifies a collision (with good probability). For those who like math
equations, assuming that all the ciphers there are replaced with truly
random functions, you have for every specific pair (X,I) != (X',I')

  Pr[collision] = 1/2^128
  Pr[X xor X' = Z xor Z' | collision] = 1
  Pr[X xor X' = Z xor Z' | no collision] = 1/2^128

This means that Pr[X xor X' = Z xor Z'] ~ 2/2^128, and therefore

  Pr[collision | X xor X' = Z xor Z']
  = Pr[collision and X xor X' = Z xor Z'] / Pr[X xor X' = Z xor Z']
  ~ (1/2^128) / (2/2^128) = 1/2

(compared to the a-priory probability of collision which is 1/2^128).

References:
- RE: p1619 (disk): Security level of LRW
  - From: Shai Halevi

Prev by Date: RE: p1619 (disk): Security level of LRW
Next by Date: RE: p1619 (disk): Security level of LRW
Prev by thread: RE: p1619 (disk): Security level of LRW
Next by thread: RE: p1619 (disk): Security level of LRW
Index(es):
- Date
- Thread