Subject: Re: FUD about CGD and GBDE
To: ALeine <>
From: Roland Dowdeswell <>
List: tech-security
Date: 03/03/2005 13:37:46
On 1109800339 seconds since the Beginning of the UNIX epoch
"ALeine" wrote:

>> Both Lucky Green and David Wagner has nodded vertical on GBDE.
>I trust the professional opinions of both Lucky Green and David Wagner
>at least an order of magnitute more than that of Roland Dowdeswell,
>especially after this discussion.

Most of this started when I disputed some of the wild claims that
PHK has made about the security of GBDE.  Let me restate:


The claim is made that there is at least O(2^256) work to crack a
disk and O(2^384) to crack the disk if the lock sectors are destroyed.

I do not believe that I need any credibility whatsoever to call
shenanigans on these outrageous claims.

It is _plainly_obvious_ that if you encrypt 2^30 sectors each with
a different 128 bit key then there are at most 2^158 different ways
to decrypt the entire disk.  Period.

PHK then says that it might be difficult to detect whether you got
a hit on any individual sector.  Well, if we are to believe the
O(2^384) claim, then we must assume that the amount of work to
verify one of the 2^158 different possibilities is

	2^{384 - 158} = 2^226

So, verifying that you have correctly decrypted the disk is now
suddenly almost as hard as cracking 256 bit AES?  I can't quite
bring myself to believe that.

This has made me rather suspicious of many other claims that have
been floating around w.r.t. GBDE.

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/