RE: towards a formal statement of attack #1 (was RE: is it "randomized"?)
Pardon me Shai: I hope you don't mind me elevating this particular
part of this particular discussion back to the reflector. I
think it might be useful for others to see this reply.
> Landon Noll wrote:
> > An attacker attempts to exploit a flaw in LRW-AES by
> > modifying single bits in a block of cipher text in the
> > hopes they can flip, with better than pure random
> > change, bits is the resulting decryption.
> >
> > The question is, can such an attack succeed?
>
> This is an easy one to answer: any success in doing that will
> be a direct break of AES. From this perspective you should
> trust LRW-AES at least as much as you do AES itself.
I for one, need to understand how a success on LRW-AES
implies a flaw in AES itself. Perhaps you are correct,
but at the moment I don't see the connection ...
> When you have a cryptosystem that has a proof of security
> (such as LRW), the types of attacks that are possible are:
>
> (a) Attacks outside the model in which the proof was staged, or
Yes. One of my doubts is if attack #1 is outside the model
in which the proof was staged and ...
> (b) Attacks that succeed with probability (at most) the bounds that
> were stated in the security proof.
I agree. And there are others:
(c) The scope of the model in which the proof was staged is
to narrow to be of practical use.
{sort of a more general case of (a)}
(d) The proof is flawed.
Well hopefully not (d), but then again it wouldn't be the first time
that a flawed proof was published! :-)
> The attack that you described is clearly covered by the
> security-proof of LRW. You can read (an upper bound on) the
> success probability of such attacks directly from the theorem
> stated in the paper of Liskov et al.
Just to be sure, are you referring to this paper?
http://www.cs.berkeley.edu/~daw/papers/tweak-crypto02.pdf
If so I'll re-review it in detail over the US holiday weekend.
chongo () /\oo/\