Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [xts]

XTS is a block cipher mode of operation, which is most commonly used when random accessible data (like a hard disk or RAM) is to be encoded.

XTS is a block cipher mode of operation, which is most commonly used when random accessible data (like a hard disk or RAM) is to be encoded.

In January 2010, XTS-AES was added by NIST in SP800-38E: "Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices."

48 questions
37
votes
1 answer

What is the advantage of XTS over CBC mode (with diffuser)?

I have some problems in understanding the "advantage" of AES-XTS compared to CBC with diffuser. I read something about FileVault, in this paper they mention the two modes of operations XTS and CBC (with diffuser) and the advantages of XTS. Both…
tommynogger
  • 473
  • 1
  • 4
  • 4
26
votes
2 answers

Why do we use XTS over CTR for disk encryption?

I'm taking Prof. Boneh's crypto class from Coursera, and am unsure on the requirement for XTS mode for disk encryption. It seems that CTR mode would do exactly what XTS can do, but is simpler to implement? In either mode, I will use the disk sector…
shrek
  • 363
  • 3
  • 5
9
votes
1 answer

Is AES-XTS considered safe to encrypt multiple files with the same keys?

I was wondering if changing the cipher mode to AES-XTS in EncFS would be a sound idea. EncFS uses AES in CBC mode until the last 1KB block, and CFB mode for the last block if len(block) < 1KB. This ensures that len(plaintext) == len(ciphertext).…
cntzero
  • 93
  • 1
  • 6
9
votes
1 answer

Effect of ESSIV when used with XTS

I looked everywhere on the web and I did find a lot of information about full disk encryption, but nothing really answered my question. When formatting a partition to use LUKS, the two most common ciphers…
JoeyBF
  • 193
  • 1
  • 5
7
votes
1 answer

Is it problematic to use PBKDF2-HMAC-SHA256 to derive a 512-bit XTS key?

PBKDF2 should only be used to generate a larger output than the hash function it uses if the output is used in such a way that it has a flat keyspace. As far as I am aware, XTS does not have a flat keyspace, and the first half of the input is far…
forest
  • 15,626
  • 2
  • 49
  • 103
7
votes
2 answers

Should I use XTS or GCM to encrypt my hard drives?

I want to start encrypting all of my hard drives, but I don't know whether to choose XTS or GCM mode. Why is it that XTS is recommended (since the most websites I visit use GCM in their HTTPS connection)? So my question is: should I use XTS or GCM,…
blacklight
  • 581
  • 7
  • 13
7
votes
2 answers

Is it possible to tweak AES-GCM so that it is satisfactory for whole-disk encryption (like XTS mode)?

Is it possible to leverage a preexisting implementation of AES-GCM to provide the key security benefits essential for full-disk encryption (similar to AES-XTS)? GCM is a popular encryption mode supported by several libraries and with fast…
user3325588
  • 111
  • 1
  • 7
6
votes
1 answer

How can XTS be used to detect the presence of TrueCrypt hidden volumes?

According to a thread on the VeraCrypt discussion forum, and a single-post followup, it is possible to detect the presence of a hidden volume in certain conditions due to a flaw in the cryptography or the way it is used, rather than a flaw in the…
forest
  • 15,626
  • 2
  • 49
  • 103
6
votes
1 answer

How many blocks can securely be encrypted with XTS

I could not find in the NIST recommendations on XTS how many blocks can securely be encrypted with XTS-AES. Through the recommendations, I've found: The length of the data unit for any instance of an implementation of XTS-AES shall not exceed…
berendeanicolae
  • 63
  • 7
6
votes
1 answer

Is XTS basically the cheapest form of (secure) double-encryption?

XTS, as given by the below equation, is a mode of operation primarily targeting full-disk encryption scenarios. By the way it works it also doubles the keylength although a meet-in-the-middle attack applies (by enumerating all the whitening values).…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
6
votes
3 answers

Reusing AES-CTR Keys and IVs for File Encryption

I’m implementing some file encryption module with random-access capability and AES-CTR seems the right way to go. I understand that reusing Keys and IVs can expose the file to ‘Stream Cipher Attacks’ when portions of the file are being modified…
Roie Hodara
  • 63
  • 4
5
votes
1 answer

AES-XTS vs AES-CTR for Write Once Storage

I have a disk on which each sector can only be written once (like a journal, only appending is possible). Unused sectors are reported as being filled with zeroes, while used sectors should not be readable without authentication (achieved over a…
nioncode
  • 151
  • 3
5
votes
1 answer

Why was Adiantum chosen over an ARX block cipher in XTS mode?

In Android, Adiantum is an alternative to AES-XTS for devices without AES instructions. I cannot understand the reason for why such a convoluted scheme was chosen. There are 128-bit ARX block ciphers that could have been a drop-in with XTS…
DroidQ
  • 51
  • 1
4
votes
1 answer

XTS or XEX mode?

Modern hardware and software disk encryption uses AES mode of operation. But XTS was designed to "pad" the last block when the disk sector was not divisible by block size. However all typical disk sector sizes are divisible by AES block size…
Crypto_dxb
  • 135
  • 7
4
votes
1 answer

Is AES in XTS mode insecure for data stream encryption?

Can anybody explain to me why AES in XTS mode is supposedly insecure for data stream encryption? I have been unable to find a clear explanation for this.
Legorooj
  • 484
  • 5
  • 18
1
2 3 4