On Jan 15, 2011, at 4:23 PM, Ivan Krstić wrote:
> On Jan 14, 2011, at 4:13 PM, Jon Callas wrote:
>> XTS in particular is a wide-block mode that takes a per-block tweak. This
>> means that if you are using an XTS block of 512 bytes, then a single-bit
>> change to the ciphertext causes the whole block to decrypt incorrectly. If
>> you're using a 4K data block, even better, as the single bit error
>> propagates to the whole 4K.
>
> No, XTS is not a wide-block mode. Its diffusion properties are an improvement
> upon CBC, which allows arbitrary bits to be flipped in a target block at the
> expense of randomizing the entire previous block. XTS doesn't let you do
> that; you can only randomize entire 128-bit blocks, just as with LRW and XEX
> (from which XTS is derived). Where diffusion beyond 128 bits is a
> requirement, the options are wide-block modes like CMC (now deprecated) and
> EME, or wide-block ciphers like BEAR and LION. All of these require making
> more than one pass over the data; two in the case of EME, three in the case
> of BEAR and LION.
Sorry. My brain fart on that.
Nonetheless, wide block modes are called by some people "Poor Man's
Authentication" because they approximate authentication to some degree.
Jon
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
