Date: Thu, 03 Mar 2005 13:37:46 -0500 From: Roland Dowdeswell <elric@imrryr.org> To: "ALeine" <aleine@austrosearch.net> Cc: crypto@metzdowd.com Subject: Re: FUD about CGD and GBDE Message-ID: <20050303183746.DAD403700F@arioch.imrryr.org> In-Reply-To: Your message of "Wed, 02 Mar 2005 13:52:19 PST." <200503022152.j22LqJTw084488@marlena.vvi.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1109800339 seconds since the Beginning of the UNIX epoch "ALeine" wrote: > >> Both Lucky Green and David Wagner has nodded vertical on GBDE. > >I trust the professional opinions of both Lucky Green and David Wagner >at least an order of magnitute more than that of Roland Dowdeswell, >especially after this discussion. Most of this started when I disputed some of the wild claims that PHK has made about the security of GBDE. Let me restate: In: http://www.bsdcan.org/2004/papers/gbde.pdf The claim is made that there is at least O(2^256) work to crack a disk and O(2^384) to crack the disk if the lock sectors are destroyed. I do not believe that I need any credibility whatsoever to call shenanigans on these outrageous claims. It is _plainly_obvious_ that if you encrypt 2^30 sectors each with a different 128 bit key then there are at most 2^158 different ways to decrypt the entire disk. Period. PHK then says that it might be difficult to detect whether you got a hit on any individual sector. Well, if we are to believe the O(2^384) claim, then we must assume that the amount of work to verify one of the 2^158 different possibilities is 2^{384 - 158} = 2^226 So, verifying that you have correctly decrypted the disk is now suddenly almost as hard as cracking 256 bit AES? I can't quite bring myself to believe that. This has made me rather suspicious of many other claims that have been floating around w.r.t. GBDE. -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050303183746.DAD403700F>