Re: A patch to loop.c for better cryption support

From: David Wagner (
Date: Sat Oct 14 2000 - 12:12:50 EST

kernel wrote:
>There are some who believe that "not unique" IVs (across multiple
>filesystems) facilitates some methods of cryptanalysis.

It's a not a matter of "belief"; it's a matter of fact.
The weakness is that the first block of ciphertext depends
only on the IV and the first block of plaintext.

Thus, if the IV is the same for two sectors, then you can
tell from the two ciphertexts whether the two plaintexts
start with the same 8-byte (or 16-byte) prefix. Since what
we're encrypting is often patterned, and thus repeats in
the beginning of the plaintext may be semi-common, this is
not so good.

The right thing is to use non-repeating, unpredictable IV's.
One way to do this is to use E_k(sector number) as your IV,
as I mentioned earlier; or, if you want relocatibility, you
could use E_k(sector number + seed).

Ask on sci.crypt if you need more specific advice.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:27 EST