The XTS-AES Disk Encryption Algorithm and the Security of Ciphertext Stealing

摘要

This paper describes the importance of the XTS-AES encryption mode of operation and concludes with a new proof for the security of ciphertext stealing as used by XTS-AES. The XTS-AES mode is designed for encrypting data stored on hard disks where there is not additional space for an integrity field. Given this lack of space for an integrity field, XTS-AES builds on the security of AES by protecting the storage device from many dictionary and copy/paste attacks. The operation of the XTS mode of AES is defined in the IEEE 1619-2007 standard [3], and has been adopted by the U.S. National Institute of Standards and Technology (NIST) as an approved mode of operation under FIPS 140-2 [2]. XTS-AES builds on the XEX (Xor-Encrypt-Xor) mode originally proposed by Rogaway [8].