From: Max Vozeler Subject: Re: [PATCH 4/4] crypto: lmk2/lmk3 cipher block modes Date: Mon, 18 Jan 2010 17:52:34 +0100 Message-ID: <20100118165234.GD3964@quark.vpn.nusquama.org> References: <1262026755-23056-1-git-send-email-max@hinterhof.net> <1262026755-23056-5-git-send-email-max@hinterhof.net> <20100117110325.GA32635@gondor.apana.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-crypto@vger.kernel.org, linux-crypto@nl.linux.org, Jari Ruusu To: Herbert Xu Return-path: Received: from mail.nusquama.org ([85.131.211.20]:45875 "EHLO mail.nusquama.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751137Ab0ARQw7 (ORCPT ); Mon, 18 Jan 2010 11:52:59 -0500 Content-Disposition: inline In-Reply-To: <20100117110325.GA32635@gondor.apana.org.au> Sender: linux-crypto-owner@vger.kernel.org List-ID: Hello Herbert, On Sun, Jan 17, 2010 at 10:03:25PM +1100, Herbert Xu wrote: > On Mon, Dec 28, 2009 at 06:59:15PM +0000, Max Vozeler wrote: > > Both modes operate on full 512 byte sectors. They use CBC > > with an IV derived from the sector number, the data and (for > > lmk3 only) an extra 128-bit IV seed. > > So this is just CBC with a modified IV? Is is almost CBC, but not exactly. The difference is that the IV is derived from the cleartext and so is not known before decrypt. So decrypt could be described using CBC as, I think: 1) CBC decrypt with null IV 2) Derive IV based on cleartext of blocks 1..31 3) XOR block 0 with IV > If so it should not be implemented as another mode. Doing it as > a mode means that you will not benefit from any hardware > implementations of CBC. If there is some way to implement it cleanly without making it another mode I would prefer doing that. > You should instead implement it as an IV generator. Currently > they're done in dm-crypt. I'd agree that dm-crypt would be the more suitable place. But I'm not sure how to implement it given the difference described above. It might look something like this: - Add IV generators "lmk2", "lmk3" - Treat them as "cbc" with null IV internally, then after decrypt derive IV and xor block 0 with it. The second part is why I built this as a mode originally. It seemed like it was not belonging in dm-crypt. Max