Re: P1619: XEX leak, correction
> you are making a whole lot of assumptions
True. I am concerned about the largest application: 100 million encrypting
disk drives used in PC's. Still, don't you think there is a difference
between storing K2 anywhere on disk or storing K2(i) in the block i, and
K2(j) in the block j? K2 is readily available in the key archive and
appears naturally in memory during key load. K2(i) and K2(j) have to be (1)
specifically computed, because the encryption setup never needs them and
(2) stored in specific locations with specific tools.
I don't say that the XEX leakage never occurs in practice, but the LRW
leakage has a much higher probability (without key blending). From the
business perspective, 100 lawsuits a year and one lawsuit in hundred years
are only a factor of 10K different, but they can make a company profitable
or to go under.
Your arguments are perfectly valid from the theoretical point of view, but
I have to protect the business of my employer. We have very different
concerns. A solution which makes this problem go away is trivial, so why
don't we do it in the hope of one lawsuit in hundred years?
Shai Halevi
Sent by:
stds-p1619@ieee.o To
rg SISWG <stds-p1619@IEEE.ORG>
No Phone Info cc
Available
Subject
Re: P1619: XEX leak, correction
06/01/2006 04:51
PM
Laszlo.Hars wrote:
> [...] What *accidental* user activity creates such plaintexts? [...]
> [...] A normal user does not even know [...]
> [...] It never happens accidentally, and I cannot imagine how to [...]
Laszlo, you are making a whole lot of assumptions about what a "normal"
users may or may not do. These assumptions may be perfectly justified
for your applications, but in general I don't think that we should make
them.
-- Shai