Abstract
\(\mathsf {XTS}\) is a popular encryption scheme for storage devices standardized by IEEE and NIST. It is based on Rogaway’s \(\mathsf {XEX}\) tweakable block cipher and is known to be secure up to the collisions between the blocks, thus up to around \(2^{n/2}\) blocks for n-bit blocks. However this only implies that the theoretical indistinguishability notion is broken with \(O(2^{n/2})\) queries and does not tell the practical risk against the plaintext recovery if \(\mathsf {XTS}\) is targeted. We show several plaintext recovery attacks against \(\mathsf {XTS}\) beyond collisions, and evaluate their practical impacts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Here it means an attack with decryption queries of any chosen ciphertext and does not mean a combination with chosen-plaintext attack.
- 2.
Using Floyd’s cycle-finding algorithm [7], this attack is feasible with the same complexity and negligible memory.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 456–467. ACM (2016)
Biham, E.: How to decrypt or even substitute des-encrypted messages in 2\({}^{\text{28 }}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on iterated Even-Mansour encryption schemes. J. Cryptol. 29(4), 697–728 (2016)
Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_21
Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. Standard, National Institute of Standards and Technology (2010)
Ferguson, N.: AES-CBC + Elephant diffuser - A Disk Encryption Algorithm for Windows Vista (2006)
Floyd, R.W.: Nondeterministic algorithms. J. ACM 14(4), 636–644 (1967)
Fouque, P.-A., Joux, A., Mavromati, C.: Multi-user collisions: applications to discrete logarithm, Even-Mansour and PRINCE. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 420–438. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_22
Halevi, S.: Storage Encryption: A Cryptographer’s View. Invited Talk at SCN 2008 (2008)
Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, New York, NY, USA, pp. 1429–1440. ACM (2018)
Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. Standard, IEEE Security in Storage Working Group
Khati, L., Mouha, N., Vergnaud, D.: Full disk encryption: bridging theory and practice. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 241–257. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_14
Leurent, G., Sibleyras, F.: The missing difference problem, and its applications to counter mode encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 745–770. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_24
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3
Minematsu, K.: Improved security analysis of XEX and LRW modes. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 96–113. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74462-7_8
Mouha, N., Luykx, A.: Multi-key security: the Even-Mansour construction revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 209–223. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_10
Nikolić, I., Wang, L., Wu, S.: Cryptanalysis of round-reduced LED. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 112–129. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_7
Rogaway, P.: Evaluation of some blockcipher modes of operation. CRYPTREC Report (2011)
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Acknowledgments
The authors would like to thank the anonymous referees of SAC 2019 for their insightful comments and suggestions. Takanori Isobe is supported by Grant-in-Aid for Scientific Research (B) (KAKENHI 19H02141) for Japan Society for the Promotion of Science.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Isobe, T., Minematsu, K. (2020). Plaintext Recovery Attacks Against XTS Beyond Collisions. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)