Re: towards a formal statement of attack #0

[Laszlo.Hars@xxxxxxxxxxx]

> It is easy to see that passive adversary that only sees the ciphertext
> cannot make any significant use of the K2 component.

If we restrict our threat model to passive adversaries, we don't even need
K2, right? The reason of using this complicated tweaking scheme is to
protect against active adversaries, which protection is lost if K2 is
discovered. In this light the quoted sentence is not really relevant. True?

> [at leaked K2] LRW offers only a slightly better protection than just ECB
encryption.

That is, not enough protection, meaning, the system is broken.


> [Pi ^ i*K2 = Pj ^ j*K2] (b) can be identified even without knowing K2.

Really? How?  When the adversary identified this collision, he can also xor
the ciphertexts, with the result:

Ci ^ Cj = i*K2 ^ j*K2, or Ci ^ Cj ^ i*K2 = j*K2.

This turns the collision equation to

Pi ^ i*K2 = Pj ^ Ci ^ Cj ^ i*K2, or Pi ^ Pj = Ci ^ Cj

It means that if Pj is (partly) known, Pi is (partly) discovered, so
LRW-AES leaks like CBC. So either the statement (b) is false, or the
proposed P1619 standard leaks, and we have to start over from scratch.



                                                                           
             "Shai Halevi"                                                 
             Sent by:                                                      
             stds-p1619@ieee.o                                          To 
             rg                        stds-p1619@IEEE.ORG                 
             No Phone Info                                              cc 
             Available                                                     
                                                                   Subject 
                                       Re: towards a formal statement of   
             06/02/2006 05:26          attack #0                           
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




On 6/1/06, Landon Noll wrote:
> [...]
>        An attacker knows that the LRW-AES key has been encrypted
>        with itself.  [...]
>        The attacker seeks to know all of the key (very bad), or
>        enough of the LRW-AES key in order to make the exhustive
>        search for the rest if it possible.

Oh, I didn't realize that your concern was the discovery of the whole key.

In this respect LRW has no problem: the scenario of a key encrypting
itself may lead to leakage of the K2 component of the key, but recall
that the K1 component is a full AES key. So there is no exposure to
key-search here.

The problem with leaking K2 is that once an active adversary knows K2,
LRW offers only a slightly better protection than just ECB encryption.
Specifically, the attacker that knows K2 and sees ciphertext block
C in positions i can instead put in position j the block C xor (Delta*K2),
(where Delta = i xor j).

This would result in position j decrypted as Pi xor (Delta*K2). In other
words, leakage of K2 let an active adversary move plaintext blocks
with some random (but known) masking. This is the entire exposure
here.

It is easy to see that passive adversary that only sees the ciphertext
cannot make any significant use of the K2 component. Indeed, a passive
adversary only gets information when there is a collision of the form

  Pi xor i*K2 = Pj xor j*K2

and this (a) happens very rarely (since K2 is random) and (b) can be
identified even without knowing K2.

-- Shai