On Sun, 12 Sep 2004 23:13:16 +0200, Fruhwirth Clemens wrote:

>SALT = Hash(KEY)
>IV = E(SALT,sectornumber)

	I see no problem with precomputing a hash of the key
as you suggest if that will provide some speed advantage.  However,
I see a small drawback to your initial value computation.

	If a byte is changed in the middle of a sector, an adversary
who has access to the ciphertext (for example, if you're running on
a remote network disk) will see that the encryption blocks within
the sector prior to that byte remain the same.  This is a small
problem, given that such an adversary could already see what sectors
are being changed, but Colin Plumb's hasing scheme does not have
that problem.  Plumb's scheme was to use the plaintext of the 2nd
through last cipher blocks as part of the hash (you cannot hash in
the first cipher block, because that would make decryption of the
first cipher block impossible, because you couldn't compute it's IV
even when you have the key).  To put it algebraically:

	IV = Hash(plaintext[cipherblocksize..sectorsize-1], whatever)

>This scheme can easily been implemented and seems, at the first glance,
>secure, but I hesitated to advertise it, since I wanted to do further
>investigations about the mathematical properties involved. The
>performance impact of this scheme is 6%.

	I'd be interested in knowing more precisely what you
measured.  That number seems shockingly high if it includes
the time used to encrypt the actual sectors, not just compute
the initial values.

                    __     ______________
Adam J. Richter        \ /
adam@...      | g g d r a s i l