Talk:IEEE Security in Storage Working Group

The attacks on LRW seem to be mentioned only on the IEEE P1619 mailing list, so I labelled the section "Original Research". Has this been discussed in any peer-reviewed journal? Also, it seems to be disputed that the attack is even possible if the underlying block cipher has an adequate block length and key size . Then the attack wouldn't be on LRW, but on the underlying block cipher: if AES is used, the attack would be completely infeasible.

I don't think that's really a fair change; it isn't original research - that most members of SISWG have concerns is significant, and it is referenced by the link to the SISWG mailing list. XEX does replace LRW in the latest P1619 draft FireDemon 09:25, 15 September 2007 (UTC)

I agree that it is significant that most members of SISWG have concerns. However, these concerns are being stated as facts: "An attacker can derive the LRW tweak key when a cipher in LRW mode encrypts data that contains the tweak key" and "Collisions in the output of the cipher can lead to discovery of 1/2 of the tweak key". The first statement assumes that a collision occurs, otherwise the attack doesn't work, but for that about 256 exabytes of data is needed. The second statement assumes that the tweak key is "low-entropy", but that assumption violates the definition of a cryptographic key. Also, LRW is not replaced by Rogaway's XEX, but by "XEX TCB CTS". My issues are: Rogaway's XEX security proof doesn't apply to "XEX TCB CTS" as the tweak values are repeated after about 2^64 instead of 2^128 blocks. TCB or "Tweaked Codebook Mode" is a new invention, it does not appear anywhere outside the IEEE P1619 mailing list, this should be mentioned. In short: my problem is not with the events in the history of P1619, but with the cryptographic claims made in this article. From Wikipedia's Original Research policy: "The threshold for inclusion in Wikipedia is verifiability, not truth. This policy and the verifiability policy reinforce each other by requiring that only assertions, theories, opinions, and arguments that have already been published in a reliable source may be used in Wikipedia." A mailinglist is not a reliable source for the cryptographic claims made in this article. I'm going to put the OR warning back until a reference to a reliable source is added for these cryptographic claims. —Preceding unsigned comment added by 193.190.253.144 (talk) 10:32, 15 September 2007 (UTC)

I think that the first problem (K2 followed by zeroes in the data stream) actually does not require any collisions to reveal the K2 - it is there in plain view, just slightly obfuscated. One only needs to know where to look - which is not that hard in a swap file. Dimawik 05:30, 19 September 2007 (UTC)

I would say that the contributors to the list (and its readers) included a quite significant portion of the active cryptographic community. The discussion and its conclusion have been thus much better peer-reviewed than an average article in a magazine. The fact that the discussion had never been printed on good paper stock by Springer does not make the result any less scientific. After all, one the most recent significant mathematical results has also not been published on paper. Dimawik 06:33, 17 September 2007 (UTC)

On the Poincaré conjecture page you link to, it says: "Huai-Dong Cao and Xi-Ping Zhu published a paper in the June 2006 issue of the Asian Journal of Mathematics giving a complete proof of the Poincaré and geometrization conjectures, in which they used some earlier work by Kleiner and Lott." That means the full proof was in fact printed on "good paper stock" and peer-reviewed by all 28 people of the editorial board. But that is not my point. The Wikipedia guidelines on Verifiability do not consider a mailinglist to be a reliable source. 193.190.253.144 22:28, 18 September 2007 (UTC)

I think you have misunderstood me as speaking against the peer review. Nobody sane can be against the peer review; after all, this is one of the foundations of the science as we know it. But the peer review does not require for the result to be printed on paper by a respected publisher. As long as a discussion has been held among esteemed professionals in the field and they reached an agreement, the media used for the discussion is irrelevant. Original papers by Perelman were published in arXiv, and were certainly much better reviewed than the "good paper stock" publications you quote. Same is true for the facts in this article. The readers and contributors of the P1619 mailing list included more professionals in the field than a typical editorial board of an IEEE publication. Therefore, in this particular case I see no reason to doubt the outcome of the discussion. And no, the guidelines article you have referenced does not discourage using the mailing lists as a source. Dimawik 05:20, 19 September 2007 (UTC)

And what is the outcome of the discussion? Several people have pointed out that Matt Ball's attack is completely infeasible. The attack assumes that you can find collisions in the output of AES (you need about 256 exabytes of data for that), and do an exhaustive key search to detect such a collision in the output of LRW (you need to try 2^128 keys). Matt Ball claims that an exhaustive key search is possible because a 128 bit key is actually only has about 2^24 possible values if it's an ASCII string. This goes against the definition of a cryptographic key, which is picked at random from the entire keyspace. He does not explain how he would actually find such a collision. 193.190.253.144 17:07, 19 September 2007 (UTC)

I might be wrong, but my understanding of the discussion is that writing the K2 to disk twice followed by a string of zeros is fatal without any collisions and requires just a few XORs to recover the key . Since the swap file in a secure system needs to be encrypted, this situation is very hard to prevent, and this has been the main reason for dropping the LRW in P1619. That said, my suggestion to add the sunny side of the story to the text of an article, keep the links to the mail list and remove the "fact" request. —Preceding unsigned comment added by Dimawik (talk • contribs) 18:36, 19 September 2007 (UTC)

You're right. That last link explained it all to me. I've tried to clarify the "LRW issue" a bit, but feel free to make further improvements to that section. A few remarks though. You don't need to write the tweak key K2 twice, only once is enough. The plaintext K2||0ⁿ or 0ⁿ||K2 creates the same input for the AES function, so there is in fact a collision. There seems to be an easy way to prevent this attack: allocate a larger block of memory, fill it with random data and put K2 somewhere in the middle. —Preceding unsigned comment added by 193.190.253.144 (talk) 20:41, 19 September 2007 (UTC)

If the standard was ever approved, then the "P" should be taken off. It indicates "proposed" standards only. If not, then article should be written in past tense since it talks about things that happened five years in the past. W Nowicki (talk) 17:20, 31 August 2013 (UTC)

I have updated this article to include all of the standards overseen by the IEEE Security in Storage Working Group (SISWG), as of October 2025.

I removed the section on the LRW issue, as that has been overtaken by events with the publication of the standard. That debate is no longer taking place in SISWG.

I recommend re-titling this page to SISWG or "Security in Storage Working Group", and having "P1619" redirect to that in order to avoid confusing readers used to using "P1619".

Paul Suhler, Chair, SISWG Paul Suhler (talk) 19:46, 10 October 2025 (UTC)

Colleague @Paul Suhler: Thank you for contributing your knowledge and expertise! However,

1. Your edit had introduced big chunks of text copied verbatim from the IEEE website. The IEEE-SA licensing is very much non-free, so the added text has WP:COPYVIO issues. Please re-write it using your own words.
2. History of the standards development is very much of encyclopedic interest, so you might consider restoring at least part of it (a paragraph about LRW is definitely needed). LRW and XEX (and XTS) belong to history (the latter two to no small extent due to their very entertaining abbreviations),
3. I support your suggestion to change the name of ("move") the article to Security in Storage Working Group. You can request it yourself by applying techniques documented in WP:MOVE. Note that the simplest way described there (just move it yourself) will not work in this case.

Feel free to ask me for advice. Dimawik (talk) 22:30, 12 October 2025 (UTC)

Hi, Dimawik. Thanks for your advice.

It was not clear what you meant by not being able to "just move it yourself". I seem to have successfully moved P1619, but I can't tell whether I created problems. The only problem I've noticed is that "P1619" and "SISWG" now go to a redirect page and not directly to the new page. How can I fix this? I'd dig more, but it's late at night.

I've rewritten lots of the text in my own words. I'm concerned that the motivations for things like why the 2883 family was developed are not documented outside the SISWG minutes (and not very well there). Since those aren't publicly available, I have no way of providing citations. How much of a problem is this?

I can put back in some of the LRW text. Paul Suhler (talk) 04:47, 26 October 2025 (UTC)

Thank you very much!

1. The "double redirect" issue you have mentioned will be resolved by an automatic "bot" in a short time. So in this case we can just enjoy the popcorn;
2. Technically, the WP:V requires that all statements here are supported by WP:RS. There is no requirement, however, for these RS to be openly available, and under-the-lock-and-key resources that can be obtained in some legal way (say, by joining SISWG) are OK, even if the effort is not trivial, in the same way the records in archives are OK. So you might want to simply refer to the said minutes, there is no need to provide an openly accessible URL for them. You can even provide a URL with a note that it is only accessible to some group X. Other editors might not like what I just have said here, but in a noncontroversial topic like this one an issue with sources is unlikely: contrary to the popular belief, editors here generally give very wide latitude to experts like you, unless a promotional push is suspected.

Dimawik (talk) 19:14, 28 October 2025 (UTC)

The link in the section "has been replaced by the XEX-AES tweakable block cipher in P1619.0 Draft 7" is broken.— Preceding unsigned comment added by 80.252.219.35 (talk)