i
Copyright © 2008 IEEE. All rights reserved.
The XTS-AES Tweakable Block Cipher1
An Extract from IEEE Std 1619-20072
Extracted from IEEE Std 1619-2007, published 18 April 2008.3
4
5
6
7
8
This special IEEE copyrighted PDF is being created to allow NIST to9
submit IEEE Std 1619-2007 XTS-AES encryption algorithm for10
consideration as an Approved Mode of Operation under NIST FIPS11
140-2 This document is made available for public review only for a12
period of ninety (90) days (June 5, 2008 through September 3, 2008).13
Copying, cutting and pasting, and/or redistributing electronically or14
otherwise of this document is strictly prohibited.15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Copyright © 2008 by the Institute of Electrical and Electronics Engineers, Inc.35
All rights reserved.36
IEEE is a registered trademark in the U.S. Patent and Trademark Office, owned by the Institute of Electrical and Electronics37
Engineers, Incorporated.38
39
40
41
42
43
ii
Copyright © 2008 IEEE. All rights reserved.
Introduction1
This document was extracted from IEEE Std 1619-2007, IEEE Standard for Cryptographic Protection of2
Data on Block-Oriented Storage Devices. This document contains description of the XTS-AES transform.3
Please refer to the full standard documentation for other information, including motivation, key4
export/import, and test vectors.5
6
XTS-AES is a tweakable block cipher designed for encryption of sector-based storage. XTS-AES acts on7
data units of 128 bits or more and uses the AES block cipher as a subroutine. The key material for XTS-8
AES consists of a data encryption key (used by the AES block cipher) as well as a “tweak key” that is used9
to incorporate the logical position of the data block into the encryption. XTS-AES is a concrete10
instantiation of the class of tweakable block ciphers described in Rogaway [B10]a
. The XTS-AES addresses11
threats such as copy-and-paste attack, while allowing parallelization and pipelining in cipher12
implementations.13
Notice to users14
Laws and regulations15
Users of these documents should consult all applicable laws and regulations. Compliance with the16
provisions of this standard does not imply compliance to any applicable regulatory requirements.17
Implementers of the standard are responsible for observing or referring to the applicable regulatory18
requirements. IEEE does not, by the publication of its standards, intend to urge action that is not in19
compliance with applicable laws, and these documents may not be construed as doing so.20
Copyrights21
This document is copyrighted by the IEEE. It is made available for a wide variety of both public and22
private uses. These include both use, by reference, in laws and regulations, and use in private self-23
regulation, standardization, and the promotion of engineering practices and methods. By making this24
document available for use and adoption by public authorities and private users, the IEEE does not waive25
any rights in copyright to this document.26
Updating of IEEE documents27
Users of IEEE standards should be aware that these documents may be superseded at any time by the28
issuance of new editions or may be amended from time to time through the issuance of amendments,29
corrigenda, or errata. An official IEEE document at any point in time consists of the current edition30
of the document together with any amendments, corrigenda, or errata then in effect. In order to determine31
whether a given document is the current edition and whether it has been amended through the32
issuance of amendments, corrigenda, or errata, visit the IEEE Standards Association Web site at33
http://ieeexplore.ieee.org/xpl/standards.jsp, or contact the IEEE at the address listed previously.34
35
For more information about the IEEE Standards Association or the IEEE standards development process,36
visit the IEEE-SA Web site at http://standards.ieee.org.37
38
_________________39
a
The numbers in brackets correspond to those of the bibliography in Annex A.40
41
iii
Copyright © 2008 IEEE. All rights reserved.
Errata1
Errata, if any, for this and all other standards can be accessed at the following URL:2
http://standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL3
for errata periodically.4
Interpretations5
Current interpretations can be accessed at the following URL: http://standards.ieee.org/reading/ieee/interp/6
index.html.7
Patents8
Attention is called to the possibility that implementation of this IEEE Std 1619-2007 may require use of9
subject matter covered by patent rights. By publication of this IEEE Std 1619-2007, no position is taken10
with respect to the existence or validity of any patent rights in connection therewith. The IEEE is not11
responsible for identifying Essential Patent Claims for which a license may be required, for conducting12
inquiries into the legal validity or scope of Patents Claims or determining whether any licensing terms or13
conditions provided in connection with submission of a Letter of Assurance, if any, or in any licensing14
agreements are reasonable or non-discriminatory. Users of this IEEE Std 1619-2007 are expressly advised15
that determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely16
their own responsibility. Further information may be obtained from the IEEE Standards Association.17
Participants from IEEE Std 1619-200718
The Security in Storage Working Group operated under the following sponsorship:19
20
Sponsor: John L. Cole21
Co-Sponsor: Curtis Anderson22
23
At the time this standard was submitted to the IEEE-SA Standards Board for approval, the Security in24
Storage Working Group had the following officers:25
26
Matthew V. Ball, Chair27
Eric A. Hibbard, Vice-chair28
James P. Hughes, Past chair29
Fabio Maino, Secretary30
31
At the time this standard was submitted to the IEEE-SA Standards Board for approval, the P1619 Task32
Group had the following membership:33
34
Serge Plotkin, Task Group Chair and Technical Editor35
36
37 Gideon Avida37
Matthew V. Ball38
David L. Black39
Russel S. Dietz40
Robert C. Elliott41
Hal Finney42
John Geldman43
Robert W. Griffin44
Cyril Guyot45
Shai Halevi46
Laszlo Hars47
Larry D. Hofer48
Walter A. Hubis49
James P. Hughes50
Glen Jaquette51
Curt Kolovson52
Robert A. Lockhart53
Fabio R. Maino54
Charlie Martin55
David A. McGrew56
Dalit Naor57
Landon Curt Noll58
Jim Norton59
Scott Painter60
David B. Sheehy61
Robert N. Snively62
Douglas L. Whiting63
64
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
iv
Copyright © 2008 IEEE. All rights reserved.
This “Extract of IEEE Std 1619-2007” was edited by Serge Plotkin (past vice-chair), Shai Halevi, and1
Dalit Naor.2
3
Special thanks to Douglas L. Whiting, Brian Gladman, and Robert C. Elliott.4
5
IEEE Std 1619-2007 Balloters6
7
The following members of the balloting committee voted on this standard. Balloters may have voted for8
approval, disapproval, or abstention.9
10
Curtis C. Anderson11
Danilo Antonelli12
Gideon Avida13
Matthew V. Ball14
Brian A. Berg15
Massimo Cardaci16
Juan C. Carreon17
Keith Chow18
John L. Cole19
Roger Cummings20
Geoffrey Darnton21
Russell S. Dietz22
Carlo Donati23
Robert C. Elliott24
Yaacov Fenster25
John Geldman26
Robert W. Griffin27
Randall Groves28
Laszlo Hars29
Eric A. Hibbard30
Werner Hoelzl31
Larry D. Hofer32
Stuart Holoman33
Walter A. Hubis34
Raj Jain35
Piotr Karocki36
Kenneth Lang37
Daniel G. Levesque38
Robert A. Lockhart39
Fabio R. Maino40
Edward McCall41
42
Michael Newman43
Charles K. Ngethe44
Landon Curt Noll45
Serge Plotkin46
Ulrich Pohl47
Jose Puthenkulam48
Michael D. Rush49
Randall M. Safier50
Stephen Schwarm51
David B. Sheehy52
Robert N. Snively53
Thomas Starai54
Walter Struppler55
John Vergis56
Oren Yuen57
Paolo Zangher58
59
60
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
v
Copyright © 2008 IEEE. All rights reserved.
CONTENTS1
2
1. Overview .................................................................................................................................................... 13
1.1 Scope ................................................................................................................................................... 14
1.2 Purpose ................................................................................................................................................ 15
1.3 Related work........................................................................................................................................ 16
2. Normative references.................................................................................................................................. 17
3. Definitions.................................................................................................................................................. 28
3.1 Acronyms and abbreviations ............................................................................................................... 29
4. Special terms .............................................................................................................................................. 210
4.1 Numerical values................................................................................................................................. 211
4.2 Letter symbols ..................................................................................................................................... 312
4.3 Special definitions ............................................................................................................................... 313
5. XTS-AES transform................................................................................................................................... 314
5.1 Data units and tweaks.......................................................................................................................... 315
5.2 Multiplication by a primitive element α.............................................................................................. 416
5.3 XTS-AES encryption procedure.......................................................................................................... 417
5.4 XTS-AES decryption procedure.......................................................................................................... 618
6. Using XTS-AES-128 and XTS-AES-256 for encryption of storage .......................................................... 819
Annex A (informative) Bibliography ........................................................................................................... 1020
Annex C (informative) Pseudocode for XTS-AES-128 and XTS-AES-256 encryption.............................. 1121
C.1 Encryption of a data unit with a size that is a multiple of 16 bytes................................................... 1122
C.2 Encryption of a data unit with a size that is not a multiple of 16 bytes............................................. 1223
Annex D (informative) Rationale and design choices.................................................................................. 1324
D.1 Purpose ............................................................................................................................................. 1325
D.2 Transparent encryption ..................................................................................................................... 1326
D.3 Wide vs. narrow block tweakable encryption................................................................................... 1427
D.4 XEX construction ............................................................................................................................. 1528
D.5 Sector-size that is not a multiple of 128 bits..................................................................................... 1829
D.6 Miscellaneous ................................................................................................................................... 1830
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
1
Copyright © 2008 IEEE. All rights reserved.
IEEE Std 1619-20071
2
IMPORTANT NOTICE: This standard is not intended to assure safety, security, health, or3
environmental protection in all circumstances. Implementers of the standard are responsible for4
determining appropriate safety, security, environmental, and health practices or regulatory5
requirements.6
This IEEE document is made available for use subject to important notices and legal disclaimers. These7
notices and disclaimers appear in all publications containing this document and may be found under the8
heading “Important Notice” or “Important Notices and Disclaimers Concerning IEEE Documents.”9
They can also be obtained on request from IEEE or viewed at http://standards.ieee.org/IPR/10
disclaimer.html.11
12
1. Overview13
1.1 Scope14
This standard specifies elements of an architecture for cryptographic protection of data on block-oriented15
storage devices, describing the methods, algorithms, and modes of data protection to be used.16
1.2 Purpose17
This standard defines specific elements of an architecture for cryptographically protecting data stored in18
constant length blocks. Specification of such a mechanism provides an additional and improved tool for19
implementation of secure and interoperable protection of data residing in storage.20
1.3 Related work21
The formal definition of the security goal of a tweakable block-cipher can be attributed to Liskov, Rivest,22
and Wagner [B5]1
, where they also show how tweakable ciphers can be built from standard block ciphers.23
An earlier work by Schroeppel suggested the idea of a tweakable block-cipher, by designing a cipher that24
natively incorporates a tweak (see Schroeppel [B11]).25
2. Normative references26
The following referenced documents are indispensable for the application of this document (i.e., they must27
be understood and used, so each referenced document is cited in text and its relationship to this document is28
explained). For dated references, only the edition cited applies. For undated references, the latest edition of29
the referenced document (including any amendments or corrigenda) applies.30
NIST FIPS-197, Federal Information Processing Standard (FIPS) for the Advanced Encryption Standard31
(AES).2
32
33
34
1
The numbers in brackets correspond to those of the bibliography in Annex A.
2
FIPS publications are available from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22661,
USA. FIPS-197 is also available on-line from http://csrc.nist.gov/publications/fips/index.
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
2
Copyright © 2008 IEEE. All rights reserved.
3. Definitions1
For the purposes of this standard, the following terms and definitions apply. The Authoritative Dictionary2
of IEEE Standards Terms, Seventh Edition [B4] should be referenced for terms not defined in this clause.3
4
key scope: Data encrypted by a particular key, divided into equal-sized data units. The key scope is5
identified by three non-negative integers: tweak value corresponding to the first data unit, the data unit size,6
and the length of the data.7
NOTE—See 4.3.1.3
8
tweak value: The 128-bit value used to represent the logical position of the data being encrypted or9
decrypted with XTS-AES.10
3.1 Acronyms and abbreviations11
AES advanced encryption standard12
Base64 encoding according to IETF RFC 3548 [B12]13
DTD document type definition14
FIPS Federal Information Processing Standard15
GF Galois field (see Menezes et. al. [B6])16
LBA logical block address17
XML extensible markup language18
XTS XEX encryption mode with tweak and ciphertext stealing19
4. Special terms20
4.1 Numerical values21
Decimal and binary numbers are used within this document. For clarity, decimal numbers are generally22
used to represent counts and binary numbers are used to describe bit patterns.23
Decimal numbers are represented in their usual 0, 1, 2, ... format. Binary numbers are represented by a24
string of one or more bits followed by the subscript 2. Thus the decimal number 26 may also be represented25
as 000110102. Hexadecimal numbers are represented by a string of one or more hexadecimal characters26
followed by a subscript 16.27
3
Notes in text, tables, and figures are given for information only, and do not contain requirements needed to implement the standard.
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
3
Copyright © 2008 IEEE. All rights reserved.
4.2 Letter symbols1
The following symbols are used in equations and figures:2
⊕ Bit-wise exclusive-OR operation3
⊗ Modular multiplication of two polynomials over the binary field GF(2), modulo4
x128
+ x7
+ x2
+ x + 1, where GF stands for Galois Field (see Menezes et. al. [B6])5
α A primitive element of GF(2128
) that corresponds to polynomial x (i.e., 0000…0102),6
where GF stands for Galois Field (see Menezes et. al. [B6])7
• Assignment of a value to a variable8
| Concatenation (e.g., if K1 = 0012 and K2 = 1010102, then K1|K2 = 0011010102)9
// Start of a comment. Comment ends at end of line10
⎣x⎦ Floor of x (e.g., ⎣7/3⎦ = 2)11
4.3 Special definitions12
4.3.1 Data unit: Within IEEE Std 1619, 128 or more bits of data within a key scope. The first data unit in13
a key scope starts with the first bit of the key scope; each subsequent data unit starts with the bit after the14
end of the previous data unit. Data units within a key scope are of equal sizes. A data unit does not15
necessarily correspond to a physical or logical block on the storage device.16
5. XTS-AES transform17
5.1 Data units and tweaks18
This standard applies to encryption of a data stream divided into consecutive equal-size data units, where19
the data stream refers to the information that has to be encrypted and stored on the storage device.20
Information that is not to be encrypted is considered to be outside of the data stream.21
22
The data unit size shall be at least 128 bits. Data unit should be divided into 128-bit blocks. Last part of the23
data unit might be shorter than 128 bits. The number of 128-bit blocks in the data unit shall not exceed24
2128
– 2. The number of 128-bit blocks should not exceed 220
.4
Each data unit is assigned a tweak value that25
is a non-negative integer. The tweak values are assigned consecutively, starting from an arbitrary non-26
negative integer. When encrypting a tweak value using AES, the tweak is first converted into a little-endian27
byte array. For example, tweak value 123456789a16 corresponds to byte array 9a16,7816,5616,3416,1216.28
29
The mapping between the data unit and the transfer, placement, and composition of data on the storage30
device is beyond the scope of this standard. Devices compliant with this standard should include31
documentation describing this mapping. In particular, a single data unit does not necessarily correspond to32
a single logical block on the storage device. For example, several logical blocks might correspond to a33
single data unit. Data stream, as used in this standard, does not necessarily refer to all of the bits sent to be34
4
Previous two sentences are not contradicting each other. First sentence states the hard limit, while the second one strongly suggests
to keep the value below the second, significantly lower limit.
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
4
Copyright © 2008 IEEE. All rights reserved.
stored in the storage device. For example, if only part of a logical block is encrypted, only the encrypted1
bytes are viewed as the data stream, i.e., input to the encryption algorithm in this standard.2
5.2 Multiplication by a primitive element α3
The encryption procedure (see 5.3) and decryption procedure (see 5.4) use multiplication of a 16-byte value4
(the result of AES encryption or decryption) by j-th power of α, a primitive element of GF(2128
). The input5
value is first converted into a byte array a0[k], k = 0,1,...,15. In particular, the 16-byte result of AES6
encryption or decryption is treated as a byte array, where a0[0] is the first byte of the AES block.7
8
This multiplication is defined by the following procedure:9
10
Input: j is the power of α11
byte array a0[k], k = 0,1,...,1512
Output: byte array aj[k], k = 0,1,...,1513
14
The output array is defined recursively by the following formulas where i is iterated from 0 to j:15
16
ai+1[0] ← (2 (ai[0] mod 128)) ⊕ (135 ⎣ai[15]/128⎦)17
ai+1[k] ← (2 (ai[k] mod 128)) ⊕ ⎣ai[k–1]/128⎦, k = 1,2,…,1518
19
NOTE—Conceptually, the operation is a left shift of each byte by one bit with carry propagating from one byte to the20
next one. Also, if the 15th
(last) byte shift results in a carry, a special value (decimal 135) is xor-ed into the first byte.21
This value is derived from the modulus of the Galois Field (polynomial x128
+ x7
+ x2
+ x + 1). See Annex C for an22
alternative way to implement the multiplication by αj
.23
24
5.3 XTS-AES encryption procedure25
5.3.1 XTS-AES-blockEnc procedure, encryption of a single 128-bit block26
The XTS-AES encryption procedure for a single 128-bit block is modeled with Equation (1).27
C ← XTS-AES-blockEnc(Key, P, i, j) (1)28
29
where30
Key is the 256 or 512 bit XTS-AES key31
P is a block of 128 bits (i.e., the plaintext)32
i is the value of the 128-bit tweak (see 5.1)33
j is the sequential number of the 128-bit block inside the data unit34
C is the block of 128 bits of ciphertext resulting from the operation35
The key is parsed as a concatenation of two fields of equal size called Key1 and Key2 such that:36
Key = Key1 | Key2.37
The ciphertext shall then be computed by the following or an equivalent sequence of steps (see Figure 1):38
1) T ← AES-enc(Key2 , i) ⊗ αj
39
2) PP ← P ⊕ T40
3) CC ← AES-enc(Key1 , PP)41
4) C ← CC ⊕ T42
43
AES-enc(K,P) is the procedure of encrypting plaintext P using AES algorithm with key K, according to44
FIPS-197. The multiplication and computation of power in step 1) is executed in GF(2128
), where α is the45
primitive element defined in 4.2 (see 5.2).46
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
5
Copyright © 2008 IEEE. All rights reserved.
1
2
3
Figure 1— Diagram of XTS-AES blockEnc procedure4
5.3.2 XTS-AES encryption of a data unit5
The XTS-AES encryption procedure for a data unit of plaintext of 128 or more bits is modeled with6
Equation (2).7
C ← XTS-AES-Enc (Key, P, i) (2)8
where9
Key is the 256 or 512 bit XTS-AES key10
P is the plaintext11
i is the value of the 128-bit tweak (see 5.1)12
C is the ciphertext resulting from the operation, of the same bit-size as P13
The plaintext data unit is first partitioned into m + 1 blocks, as follows:14
P = P0 |… |Pm−1|Pm15
where m is the largest integer such that 128m is no more than the bit-size of P, the first m blocks P0,…,16
Pm−1 are each exactly 128 bits long, and the last block Pm is between 0 and 127 bits long (Pm could be17
empty, i.e., 0 bits long). The key is parsed as a concatenation of two fields of equal size called Key1 and18
Key2 such that: Key = Key1 | Key2. The ciphertext C is then computed by the following or an equivalent19
sequence of steps:20
1) for q ← 0 to m-2 do21
a) Cq ← XTS-AES-blockEnc(Key, Pq, i, q)22
2) b ← bit-size of Pm23
3) if b = 0 then do24
a) Cm–1 ← XTS–AES-blockEnc(Key, Pm–1, i, m–1)25
b) Cm ← empty26
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
6
Copyright © 2008 IEEE. All rights reserved.
4) else do1
a) CC ← XTS-AES-blockEnc(Key, Pm–1, i, m–1)2
b) Cm ← first b bits of CC3
c) CP ← last (128–b) bits of CC4
d) PP ← Pm | CP5
e) Cm–1 ← XTS-AES-blockEnc(Key, PP, i, m)6
5) C ← C0|… |Cm–1|Cm7
8
An illustration of encrypting the last two blocks Pm–1Pm in the case that Pm is a partial block (b > 0) is9
provided in Figure 2.10
11
Figure 2—XTS-AES encryption of last two blocks when last block is 1 to 127 bits12
5.4 XTS-AES decryption procedure13
5.4.1 XTS-AES-blockDec procedure, decryption of a single 128-bit block14
The XTS-AES decryption procedure of a single 128-bit block is modeled with Equation (3).15
P ← XTS-AES-blockDec(Key, C, i, j) (3)16
where17
Key is the 256 or 512-bit XTS-AES key18
C the 128-bit block of ciphertext19
i is the value of the 128-bit tweak (see 5.1)20
j is the sequential number of the 128-bit block inside the data unit21
P is the 128-bit block of plaintext resulting from the operation22
The key is parsed as a concatenation of two fields of equal size called Key1 and Key2 such that:23
Key = Key1 | Key2. The plaintext shall then be computed by the following or an equivalent sequence of steps24
(see Figure 3):25
1) T ← AES-enc(Key2 , i) ⊗ αj
26
2) CC ← C ⊕ T27
3) PP ← AES-dec(Key1 , CC)28
4) P ← PP ⊕ T29
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
7
Copyright © 2008 IEEE. All rights reserved.
1
AES-dec(K,C) is the procedure of decrypting ciphertext C using AES algorithm with key K, according to2
FIPS-197. The multiplication and computation of power in step 1) is executed in GF(2128
), where α is the3
primitive element defined in 4.2 (see 5.2).4
5
6
7
Figure 3—Diagram of XTS-AES blockDec procedure8
9
5.4.2 XTS-AES decryption of a data unit10
The XTS-AES decryption procedure for a data unit ciphertext of 128 or more bits is modeled with11
Equation (4).12
P ← XTS-AES-Dec(Key, C, i) (4)13
where14
Key is the 256 or 512-bit XTS-AES key15
C is the ciphertext corresponding to the data unit16
i is the value of the 128-bit tweak (see 5.1)17
P is the plaintext data unit resulting from the operation, of the same bit-size as C18
The ciphertext is first partitioned into m + 1 blocks as follows:19
C = C0 |… |Cm−1|Cm20
where m is the largest integer such that 128m is no more than the bit-size of C, the first m blocks C0,…,21
Cm−1 are each exactly 128 bits long, and the last block Cm is between 0 and 127 bits long (Cm could be22
empty, i.e., 0 bits long). The key is parsed as a concatenation of two fields of equal size called Key1 and23
Key2 such that: Key = Key1 | Key2. The plaintext P is then computed by the following or an equivalent24
sequence of steps:25
1) for q ← 0 to m-2 do26
a) Pq ← XTS-AES-blockDec(Key, Cq, i, q)27
2) b ← bit-size of Cm28
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
8
Copyright © 2008 IEEE. All rights reserved.
3) if b = 0 then do1
b) Pm-1 ← XTS-AES-blockDec(Key, Cm-1, i, m-1)2
c) Pm ← empty3
4) else do4
d) PP ← XTS-AES-blockDec(Key, Cm-1, i, m)5
e) Pm ← first b bits of PP6
f) CP ← last (128-b) bits of PP7
g) CC ← Cm | CP8
h) Pm-1 ← XTS-AES-blockDec(Key, CC, i, m-1)9
5) P ← P0 |… |Pm-1|Pm10
11
The decryption of the last two blocks Cm–1Cm in the case that Cm is a partial block (b > 0) is illustrated in12
Figure 4.13
14
Figure 4—XTS-AES decryption of last two blocks when last block is 1 to 127 bits15
6. Using XTS-AES-128 and XTS-AES-256 for encryption of storage16
The encryption and decryption procedures described in 5.3 and 5.4 use AES as the basic building block. If17
the XTS-AES key consists of 256 bits, the procedures use 128-bit AES; if the XTS-AES key consists of18
512 bits, the procedures use 256-bit AES. For completeness, the first mode shall be referred to as XTS-19
AES-128 and the second as XTS-AES-256. To be compliant with the standard, the implementation shall20
support at least one of the above modes.21
22
Key scope defines the range of data encrypted with a single XTS-AES key. The key scope is represented by23
the following three values:24
25
a) Value of the tweak associated with the first data unit in the sequence of data units encrypted by26
this key27
b) The size in bits of each data unit28
c) The number of units to be encrypted/decrypted under the control of this key.29
30
An implementation compliant with this standard may or may not support multiple data unit sizes.31
32
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
9
Copyright © 2008 IEEE. All rights reserved.
In an application of this standard to sector-level encryption of a disk, the data unit typically corresponds to1
a logical block, the key scope typically includes a range of consecutive logical blocks on the disk, and the2
tweak value associated with the first data unit in the scope typically corresponds to the Logical Block3
Address (LBA) associated with the first logical block in the range.4
5
An XTS-AES key shall not be associated with more than one key scope.6
7
NOTE—The reason for the previous restriction is that encrypting more than one block with the same key and the same8
index introduces security vulnerabilities that might potentially be used in an attack on the system. In particular, key9
reuse enables trivial cut-and-paste attacks.10
11
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
10
Copyright © 2008 IEEE. All rights reserved.
Annex A1
(informative)2
Bibliography3
[B1] Halevi, S. and Rogaway, P., “A tweakable enciphering mode.” In Advances in Cryptology—4
CRYPTO ’03. Lecture Notes in Computer Science, vol. 2729, pp 482–499. Springer-Verlag, 2003.5
[B2] Halevi, S. and Rogaway, P., A parallelizable enciphering mode. The RSA conference—6
Cryptographer’s track, RSA-CT ’04. Lecture Notes in Computer Science, vol. 2964, pp 292–304. Springer-7
Verlag, 2004.8
[B3] Halevi, S., “EME*: extending EME to handle arbitrary-length messages with associated data,”9
INDOCRYPT 2004, Lecture Notes in Computer Science, vol. 3348, pp 315–327. Springer-Verlag, 2004.10
[B4] IEEE 100, The Authoritative Dictionary of IEEE Standards Terms, Seventh Edition.11
[B5] Liskov, M., Rivest, R., and Wagner, D., Tweakable block ciphers. In Advances in Cryptology—12
CRYPTO ’02. Lecture Notes in Computer Science, vol 2442, pp 31–46. Springer-Verlag, 2002.13
[B6] Menezes, A., Oorshot, P., and Vanstone, S., Handbook of Applied Cryptography, CRC Press, 1997.14
[B7] Meyer, C. H. and Matyas, S. M., Cryptography: a New Dimension in Computer Data Security. John15
Wiley & Sons, 1982.16
[B8] Naor, M. and Reingold, O., A pseudo-random encryption mode. Manuscript. Available online from17
http://www.wisdom.weizmann.ac.il/~naor/PAPERS/nr-mode.ps.18
[B9] NIST Key Management Guidelines SP800-57. http://csrc.nist.gov/publications/nistpubs/19
800-57/SP800-57-Part1.pdf and http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf20
[B10] Rogaway, P., Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB21
and PMAC. Advances in Cryptology—Asiacrypt 2004. Lecture Notes in Computer Science, vol. 3329, pp22
16–31. Springer-Verlag, 2004.23
[B11] Schroeppel, R., The Hasty Pudding Cipher. The first AES conference, NIST, 1998.24
Available from http://www.cs.arizona.edu/~rcs/hpc.25
(See http://csrc.nist.gov/CryptoToolkit/aes/round1/conf1/aes1conf.htm.)26
[B12] The Base16, Base32, and Base64 Data Encodings. IETF Network Working Group, July 2003.27
http://www.ietf.org/rfc/rfc3548.txt28
[B13] XML Encryption Syntax and Processing. W3C.29
http://www.w3.org/TR/xmlenc-core30
[B14] XML Key Management Specification (XKMS). W3C.31
http://www.w3.org/TR/xkms32
33
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
11
Copyright © 2008 IEEE. All rights reserved.
Annex C1
(informative)2
Pseudocode for XTS-AES-128 and XTS-AES-256 encryption3
C.1 Encryption of a data unit with a size that is a multiple of 16 bytes4
#define GF_128_FDBK 0x875
#define AES_BLK_BYTES 166
void XTS_EncryptSector7
(8
AES_Key &k2, // key used for tweaking9
AES_Key &k1, // key used for "ECB" encryption10
u64b S, // data unit number (64 bits)11
uint N, // sector size, in bytes12
const u08b *pt, // plaintext sector input data13
u08b *ct // ciphertext sector output data14
)15
{16
uint i,j; // local counters17
u08b T[AES_BLK_BYTES]; // tweak value18
u08b x[AES_BLK_BYTES]; // local work value19
u08b Cin,Cout; // "carry" bits for LFSR shifting20
21
assert(N % AES_BLK_BYTES == 0); // data unit is multiple of 16 bytes22
23
for (j=0;j<AES_BLK_BYTES;j++)24
{ // convert sector number to tweak plaintext25
T[j] = (u08b) (S & 0xFF);26
S = S >> 8; // also note that T[] is padded with zeroes27
}28
29
AES_ECB_Encrypt(k2,T); // encrypt the tweak30
31
for (i=0;i<N;i+=AES_BLK_BYTES) // now encrypt the data unit, AES_BLK_BYTES at a time32
{33
// merge the tweak into the input block34
for (j=0;j<AES_BLK_BYTES;j++)35
x[j] = pt[i+j] ^ T[j];36
37
// encrypt one block38
AES_ECB_Encrypt(k1,x);39
40
// merge the tweak into the output block41
for (j=0;j<AES_BLK_BYTES;j++)42
ct[i+j] = x[j] ^ T[j];43
44
// Multiply T by α45
Cin = 0;46
for (j=0;j<AES_BLK_BYTES;j++)47
{48
Cout = (T[j] >> 7) & 1;49
T[j] = ((T[j] << 1) + Cin) & 0xFF;50
Cin = Cout;51
}52
if (Cout)53
T[0] ^= GF_128_FDBK;54
}55
}56
57
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
12
Copyright © 2008 IEEE. All rights reserved.
C.2 Encryption of a data unit with a size that is not a multiple of 16 bytes1
#define GF_128_FDBK 0x872
#define AES_BLK_BYTES 163
4
void XTS_EncryptSector5
(6
AES_Key &k2, // key used for generating sector "tweak"7
AES_Key &k1, // key used for "ECB" encryption8
u64b S, // sector number (64 bits)9
uint N, // sector size, in bytes10
const u08b *pt, // plaintext sector input data11
u08b *ct // ciphertext sector output data12
)13
{14
uint i,j; // local counters15
u08b T[AES_BLK_BYTES]; // tweak value16
u08b x[AES_BLK_BYTES]; // local work value17
u08b Cin,Cout; // "carry" bits for LFSR shifting18
19
assert(N >= AES_BLK_BYTES); // need at least a full AES block20
21
for (j=0;j<AES_BLK_BYTES;j++)22
{ // convert sector number to tweak plaintext23
T[j] = (u08b) (S & 0xFF);24
S = S >> 8; // also note that T[] is padded with zeroes25
}26
27
AES_ECB_Encrypt(k2,T); // encrypt the tweak28
for (i=0;i+AES_BLK_BYTES <= N;i+=AES_BLK_BYTES)29
{ // now encrypt the sector data30
// merge the tweak into the input block31
for (j=0;j<AES_BLK_BYTES;j++)32
x[j] = pt[i+j] ^ T[j];33
34
// encrypt one block35
AES_ECB_Encrypt(k1,x);36
37
// merge the tweak into the output block38
for (j=0;j<AES_BLK_BYTES;j++)39
ct[i+j] = x[j] ^ T[j];40
41
// LFSR "shift" the tweak value for the next location42
Cin = 0;43
for (j=0;j<AES_BLK_BYTES;j++)44
{45
Cout = (T[j] >> 7) & 1;46
T[j] = ((T[j] << 1) + Cin) & 0xFF;47
Cin = Cout;48
}49
if (Cout)50
T[0] ^= GF_128_FDBK;51
}52
if (i < N) // is there a final partial block to handle?53
{54
for (j=0;i+j<N;j++)55
{56
x[j] = pt[i+j] ^ T[j]; // copy in the final plaintext bytes57
ct[i+j] = ct[i+j-AES_BLK_BYTES]; // and copy out the final ciphertext bytes58
}59
for (;j<AES_BLK_BYTES;j++) // "steal" ciphertext to complete the block60
x[j] = ct[i+j-AES_BLK_BYTES] ^ T[j];61
// encrypt the final block62
AES_ECB_Encrypt(k1,x);63
64
// merge the tweak into the output block65
for (j=0;j<AES_BLK_BYTES;j++)66
ct[i+j-AES_BLK_BYTES] = x[j] ^ T[j];67
}68
}69
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
13
Copyright © 2008 IEEE. All rights reserved.
Annex D1
(informative)2
Rationale and design choices3
D.1 Purpose4
This annex provides some background material regarding design choices that were made in XTS-AES and5
the rationale behind these choices.6
D.2 Transparent encryption7
The starting point for this standard is a requirement that the transform be usable as transparent encryption.8
That is, it should be possible to insert an encryption/decryption module into existing data paths without9
having to change the data layout or message formats of other components on these data paths. In particular,10
transparent encryption can be implemented to occur in the host, along the data path from host to storage11
device, and inside the storage device, all without the need to modify the data transmission protocols or the12
layout of the data on the media. In the context of encryption by sector-level storage devices, this13
requirement translates into the following two constraints:14
1) The transform must be length-preserving, namely the length of the ciphertext must equal that15
of the plaintext. This means that the transform must be deterministic, and that it cannot store16
an authentication tag along with the ciphertext.17
2) The transform must be applicable to individual data-units (or sectors) independently of other18
data-units and in arbitrary order. This means that no chaining between different data-units is19
possible. This requirement stems from the need to support random access to the encrypted20
data. For example, encryption mode that chains multiple data units requires reading of21
several data units to decrypt a single unit.22
23
Two solutions that were rejected by the group as insecure were to use either counter (CTR) mode or cipher24
block chaining (CBC) mode, deriving the IV from the sector number.25
26
⎯ Using CTR without authentication tags is trivially malleable, and an adversary with write access to27
the encrypted media can flip any bit of the plaintext simply by flipping the corresponding28
ciphertext bit.29
⎯ For CBC, an adversary with read/write access to the encrypted disk can copy a ciphertext sector30
from one position to another, and an application reading the sector off the new location will still31
get the same plaintext sector (except perhaps the first 128 bits). For example, this means that an32
adversary that is allowed to read a sector from the second position but not the first can find the33
content of the sector in first position by manipulating the ciphertext.34
⎯ For CBC, an adversary can flip any bit of the plaintext by flipping the corresponding ciphertext bit35
of the previous block, with the side-effect of “randomizing” the previous block.36
The XTS-AES transform was chosen because it offers better protection against ciphertext manipulations37
and cut-and-paste attacks. It is important to realize, however, that regardless of the method used for38
encryption, the constraints above imply some inherent limitations on the level of security that can be39
achieved by such transform. As shown in the paragraphs that follow, these constraints imply that the best40
achievable security is essentially what can be obtained by using ECB mode with a different key per block41
(and using a cipher with wide blocks).42
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
14
Copyright © 2008 IEEE. All rights reserved.
1
Specifically, since there are no authentication tags, any ciphertext (original or modified by adversary) will2
be decrypted as some plaintext and there is no built-in mechanism to detect alterations. The best that can be3
done is to ensure that any alternation of the ciphertext will completely randomize the plaintext, and rely on4
the application that uses this transform to include sufficient redundancy in its plaintext to detect and discard5
such random plaintexts.6
7
Also, since this transform is deterministic, encrypting the plaintext twice with the same key and the same8
position will yield the same ciphertext. Moreover, since there is no chaining, an adversary can “mix and9
match” ciphertext units and get the same “mix and match” of their corresponding plaintext units. (Namely,10
if C0C1…Cm is encryption of P0P1…Pm and C′0C′1…C′m is encryption of P′0P′1…P′m then C0C′1…Cm is11
encryption of P0P′1…Pm.)12
13
The above “mix and match” weakness can be mitigated to some extent by using some context information14
in the encryption and decryption processes. In the case of sector-level encryption, the only context15
information that can be assumed to be available at both encryption and decryption is the (logical) position16
of the current data unit (as seen by the encryption/decryption module).5
Incorporating the position17
information into the encryption and decryption routines makes it possible to cryptographically hide the fact18
that the same unit is written in two different places, and also prevents “mix and match” between different19
positions. But as mentioned previously, even the best implementation of encryption by a sector-level20
storage device leaves several vulnerabilities. Three of these vulnerabilities are illustrated as follows:21
22
⎯ Traffic analysis. Consider an adversary that is able to passively observe the communication23
between the encrypting device and the disk. Since encryption is deterministic, this adversary is24
able to observe when a certain sector is written back to disk with a different value than was25
previously read from disk. This capability may help the adversary in mounting an attack based on26
traffic analysis.27
⎯ Replay. An adversary with read/write access to the encrypted disk can observe when a certain28
sector changes on the disk and then reset it to any one of its previous values. (Notice that this29
attack is not specific to transparent encryption; it may work even when using randomized30
encryption with authentication tags.)31
⎯ Randomizing a sector. Since there are no authentication tags, an adversary with write access to32
the encrypted disk can write an arbitrary ciphertext to any sector, causing an application that reads33
this sector to see a “random” plaintext instead of the value that was written to that sector. The34
behavior of the application on such “random” plaintext may be beneficial to the adversary.35
When using transparent encryption, one must therefore address these vulnerabilities by means outside the36
scope of this standard.37
D.3 Wide vs. narrow block tweakable encryption38
In light of the previous discussion, the required interfaces of the transform are encryption and decryption39
routines as shown in Equation (5):40
C = Enc(K, P, i) and P = Dec(K, C, i) (5)41
42
where43
plaintext P and ciphertext C have the same length (i.e., the length of a single sector)44
K is the secret encryption key45
i represents the position information46
47
5
On the other hand, parameters like “time of encryption” cannot be used as context information, since the decryption procedure
typically has no way of obtaining that information.
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
15
Copyright © 2008 IEEE. All rights reserved.
The best security that one can hope for with such transform is that it looks to an adversary like a block1
cipher with block size equal to the sector size, and with different and independent keys for different values2
of i. Such a construct is called a “tweakable cipher” in the cryptographic literature. It was first defined3
formally by Liskov et al. in [B5].4
5
Several constructions that achieve these properties exist in the cryptographic literature (e.g., see Halevi et.6
al. [B1], [B2], [B3], and a construction based on Naor et. al. [B8]). All these constructions, however, are7
rather expensive, requiring buffering of at least one sector worth of intermediate results and at least two8
passes over the entire sector.6
A cheaper alternative can be obtained by relaxing the requirement that the9
transform looks like a cipher with a wide (e.g., sector-length) block-size. Instead, one can work with10
narrow blocks of 128 bits, but still insist that different blocks (whether in the same or in different sectors)11
look to an adversary like they were encrypted with different independent keys.12
13
Giving up the dependencies between different 128-bit blocks allows greater efficiency. The price for that,14
however, is that the attacks described in D.2 are now possible with finer granularity. Namely, whereas the15
adversary against a wide-block encryption scheme can do traffic analysis or replay with granularity of one16
sector, the adversary against a narrow-block encryption scheme can work with granularity of 128-bit17
blocks. Still, the consensus in the P1619 workgroup was that the added efficiency warrants this additional18
risk. Since these risks exist even with wide-block encryption—albeit with a coarser granularity—one would19
still need some other mechanisms for addressing them, and in many cases the same mechanisms can be20
used also for addressing these risks in their fine-grained form.21
22
D.4 XEX construction23
D.4.1 General XEX transform24
25
In [B10], Rogaway described a construction of a narrow-block tweakable cipher from a standard cipher26
such as AES. That construction works as follows: the tweakable cipher uses two keys, K1 and K2, both27
used as keys for the underlying cipher Enc(K, data)/Dec(K, data). Given a plaintext block P and the tweak28
value, the tweak is parsed as a pair (s,t) (s can be thought of as the sector number and t as the block number29
within the sector). The construction first computes a mask value T using Equation (6):30
31
T = Enc(K2, s) ⊗ αt
(6)32
33
where34
the multiplication is in GF(2n
) (with n being the block-size of the underlying cipher)35
α is a primitive element of GF(2n
)36
37
Given plaintext P, ciphertext C is produced by Equation (7):38
39
C = Enc(K1, P ⊕ T) ⊕ T (7)40
41
Given ciphertext C, the plaintext P is produced Equation (8):42
43
P = Dec(K1, C ⊕ T) ⊕ T (8)44
45
6
At least some of this overhead appears to be inherent: Since these schemes insist on a block cipher with “wide block” (i.e., as wide
as an entire sector), then every bit of ciphertext must “strongly depend” on every bit of plaintext and vice versa. This means in
particular that no bit of output can be produced until all the input bits were processed by the block cipher.
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
16
Copyright © 2008 IEEE. All rights reserved.
D.4.2 Security of general XEX transform1
The security analysis of generic XEX transform in Rogaway [B10] shows that this mode is secure as long2
as the number of blocks that are encrypted under the same key is sufficiently smaller than the birthday3
bound value of 2n/2
, where n is the block size in bits of the underlying block cipher. Some attacks become4
possible when the number of blocks approaches the 2n/2
value.5
6
The adversary analyzed in Rogaway [B10] can make arbitrary encryption and decryption queries to the7
tweakable cipher, using arbitrary tweak values. These queries are answered either by the construction8
above, or by a truly random collection of permutations and their inverses over {0,1}n
(a different,9
independent permutation for every value of the tweak), and the adversary’s goal is to determine which is10
the case. Rogaway proved in [B10], Theorem 8 that an adversary that makes at most q such queries cannot11
distinguish these two cases with advantage more than 4.5 q2
/2n
+ ε over a random guess (where ε is an error12
term that expresses the advantage of distinguishing the underlying cipher from a random permutation using13
q queries and n is the block size in bits of the underlying block cipher).14
15
To explain the relevance of this analysis to the security of a real-world usage of the XTS-AES transform,16
the first argument is that no realistic adversary would have more information than the adversary in the17
attack model that is described in the analysis. This follows from the fact that adversary in Rogaway [B10]18
is assumed to be able to choose all the plaintext and ciphertext that is fed to the construction. Since the19
theorem (Rogaway [B10], Theorem 8) says that no adversary in that model can distinguish the construction20
from a collection of random permutations, it follows that no realistic adversary can distinguish between21
these cases with any significant advantage. This, in turn, means that an attack would be just as successful22
against a collection of truly random permutations, one per each 128-bit block, as it would be against XEX.23
24
It follows that when analyzing the security of an application that uses the above scheme, one can think of25
the encryption as if it was done using a collection of truly random 128-bit permutations. When faced with26
such a collection of truly random permutations, the only information that the adversary has is the following:27
28
⎯ The same plaintext with the same tweak value will always be encrypted to the same ciphertext (cf.29
the traffic analysis attack from above).30
⎯ The same ciphertext with the same tweak value will always be decrypted to the same plaintext (cf.31
the replay attack from above).32
⎯ Any other ciphertext (plaintext) will be decrypted (encrypted) to a random value (cf. the33
randomizing attack from above).34
35
In other words, the proof in Rogaway [B10] implies that except for the “error term” of 4.5 q2
/2n
+ ε, the36
only attacks that are possible against XEX are the ones that are inherent from the use of transparent37
encryption with the granularity of n-bit blocks, where n is the block size in bits of the underlying cipher.38
39
Some attacks against XEX are possible when the number of blocks q approaches the birthday bound. For40
example, consider a known-plaintext attack where the adversary sees q tuples of tweak, plaintext, and41
ciphertext. For each such tuple [(si,ti), Pi, Ci], denote by Ti the mask value that is computed from the tweak42
(si,ti).43
44
From the birthday bound it follows that when q approaches 2n/2
, there is a non-negligible probability that45
for some i,j there is a collision of the form shown in Equation (9):46
47
Pi ⊕ Ti = Pj ⊕ Tj. (9)48
49
In this case, it also holds that [see Equation (10)]:50
51
Ci ⊕ Ti = Enc(K1, Pi ⊕ Ti) = Enc(K1, Pj ⊕ Tj) = Cj ⊕ Tj. (10)52
53
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
17
Copyright © 2008 IEEE. All rights reserved.
Summing these two equalities implies1
2
Pi ⊕ Ci = Pj ⊕ Cj3
4
This can be used to distinguish XEX from a collection of truly random permutations. The adversary5
computes for all i the sum Si = Pi ⊕ Ci and counts the number of pairs (i,j) for which Si = Sj. The argument6
above implies that for any i,j, the probability that Si = Sj in ciphertext produced by XEX is roughly7
2–n
+2–n
= 2–n+1
, where the first term is due to collision between i and j and the second term is due to equality8
Si = Sj without a collision. On the other hand, for truly random permutation the probability of Si = Sj is9
exactly 2–n
, and hence after observing roughly 2n/2
tuples [(si,ti), Pi, Ci] it is possible to distinguish10
ciphertext produced by XEX from a random sequence with non-negligible probability.11
12
Given a collision between i and j as above, the following approach shows how the adversary can use his13
ability to create legally encrypted data for position i and ability to modify ciphertext in position j to modify14
the ciphertext at j so it will decrypt to an arbitrary adversary-controlled value.15
16
As above, the adversary begins by computing the sums Si = Ci ⊕ Pi and uses any equality Si = Sj as an17
evidence of collision between i and j. Denote by [(si,ti), Pi, Ci], [(sj,tj), Pj, Cj] the corresponding tweak,18
plaintext, and ciphertext values.19
20
For some Δ ≠ 0, the adversary encrypts a new value P'i = Pi ⊕ Δ in position (si,ti), observes the21
corresponding ciphertext C'i, and replaces the ciphertext block Cj by:22
23
C'j = Cj ⊕ (Ci ⊕ C'i).24
25
This new ciphertext block will be decrypted as P'j = Pj ⊕ Δ. In other words, the adversary succeeded in26
“flipping” specific bits in plaintext corresponding to location j. To see this, observe Equation (11):27
28
C'j ⊕ Tj = Cj ⊕ (Ci ⊕ C'i) ⊕ Tj (11)29
= C'i ⊕ (Ci ⊕ Cj) ⊕ Tj30
= C'i ⊕ (Ti ⊕ Tj) ⊕ Tj [follows from Equation (10)]31
= C'i ⊕ Ti32
33
Therefore:34
35
Dec(K1, C'j ⊕ Tj) = Dec(K1, C'i ⊕ Ti)36
37
which implies that:38
39
P'j = Tj ⊕ Dec(K1, C'j ⊕ Tj)40
= Tj ⊕ Dec(K1, C'i ⊕ Ti) [follows from Equation (11)]41
= (Tj ⊕ Ti) ⊕ [Ti ⊕ Dec(K1, C'i ⊕ Ti)]42
= (Tj ⊕ Ti) ⊕ P'i43
= (Tj ⊕ Ti) ⊕ (Pi ⊕ Δ)44
= ((Tj ⊕ Ti) ⊕ Pi) ⊕ Δ45
= Pj ⊕ Δ.46
47
D.4.3 XTS-AES as a specific instantiation of general XEX48
The XTS-AES-128 and XTS-AES-256 transforms described in this standard are concrete instantiations of49
the XEX scheme with AES as the underlying block cipher, and thus using n = 128 as the block length. A50
data unit sequence number (i.e., relative position) is used as a tweak in order to allow for copy or backup of51
a key scope or partial key scope of data encrypted with XTS-AES-[128,256] without re-encryption. In52
contrast to the generic XEX construction described in Rogaway [B10] that uses a single key, the XTS-53
The XTS-AES Tweakable Block Cipher
An Extract from IEEE Std 1619-2007
18
Copyright © 2008 IEEE. All rights reserved.
AES-128 and XTS-AES-256 modes in this standard use separate keys for tweaking and encryption1
purposes. This separation is a specific example of separation of key usage by purpose and is considered a2
good security design practice (see NIST Key Management Guidelines [B9], part 1, Section 5.2).3
4
The expression 4.5 q2
/2n
is small enough as long as q is not much more than 240
. The proof from Rogaway5
[B10] yields strong security guarantee as long as the same key is not used to encrypt much more than a6
terabyte of data (which gives q = 236
blocks). For this case, no attack can succeed with probability better7
than 2–53
(i.e., approximately one in eight quadrillion).8
9
This security guarantee deteriorates as more data is encrypted under the same key. For example, when10
using the same key for a petabyte of data, attacks such as in D.4.2 have success probability of at most11
approximately 2–37
(i.e., approximately eight in a trillion), and with exabyte, of data the success probability12
is at most approximately 2–17
(i.e., approximately eight in a million).13
14
The decision on the maximum amount of data to be encrypted with a single key should take into account15
the above calculations together with the practical implication of the described attack (e.g., ability of the16
adversary to modify plaintext of a specific block, where the position of this block may not be under17
adversary’s control).18
D.5 Sector-size that is not a multiple of 128 bits19
The generic XEX transform as described in Rogaway [B10] immediately implies a method for encrypting20
sectors that consist of an integral number of 128-bit blocks: apply the transform individually to each 128-21
bit block, but use the block number in the sector as part of the tweak value when encrypting that block.22
This method is applicable to the most common sector sizes (such as 512 bytes or 4096 bytes). However, it23
does not directly apply to sector sizes that are not an integer multiple of 128-bit blocks (e.g., 520-byte24
sectors).25
26
To encrypt a sector with a length that is not an integral number of 128-bit blocks, the standard uses the27
“ciphertext-stealing” technique similar to the one used for ECB mode (see Meyer et. al. [B7], Figure 2-22).28
Namely, both XTS-AES-128 and XTS-AES-256 encrypt all the full blocks except the last full block (with29
different tweak values for each block), and then encrypt the last full block together with the remaining30
partial block using two applications of the XTS-AES-blockEnc procedure described in 5.3.1 with two31
different tweak values, as described in 5.3.2.32
D.6 Miscellaneous33
Following are general remarks about appropriate use of the XTS-AES transform:34
35
⎯ When analyzing the security of an application that uses this standard, one must consider the36
methods that were used to generate the keys. As with every cryptographic algorithm, it is37
important that the secret-key used for XTS-AES-[128,256] be chosen at random (or from a38
“cryptographically strong” pseudo-random source). Indeed, all security guarantees (including the39
security claims of the theorem from Rogaway [B10]) are null and void if the key is chosen from a40
low entropy source. The issues of strong pseudo-randomness and key-generation are outside the41
scope of this standard. For further information, see NIST Key Management Guidelines [B9].42
⎯ Use of a single cryptographic key for more than a few hundred terabytes of data opens possibility43
of attacks, as described in D.4.3. The limitation on the size of data encrypted with a single key is44
not unique to this standard. It comes directly from the fact that AES has a block size of 128 bits45
and is not mitigated by using AES with a 256-bit key.46
47
48
49