On Jan 14, 2011, at 4:13 PM, Jon Callas wrote: > XTS in particular is a wide-block mode that takes a per-block tweak. This > means that if you are using an XTS block of 512 bytes, then a single-bit > change to the ciphertext causes the whole block to decrypt incorrectly. If > you're using a 4K data block, even better, as the single bit error propagates > to the whole 4K.
No, XTS is not a wide-block mode. Its diffusion properties are an improvement upon CBC, which allows arbitrary bits to be flipped in a target block at the expense of randomizing the entire previous block. XTS doesn't let you do that; you can only randomize entire 128-bit blocks, just as with LRW and XEX (from which XTS is derived). Where diffusion beyond 128 bits is a requirement, the options are wide-block modes like CMC (now deprecated) and EME, or wide-block ciphers like BEAR and LION. All of these require making more than one pass over the data; two in the case of EME, three in the case of BEAR and LION. Cheers, -- Ivan Krstić <[email protected]> | http://radian.org _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
