4

I've found many information about operation modes such as ECB, CBC, CTR, OFB and CFB. These modes are described precisely, but I'm not able to find information about XTS. The Wiki article is the only thing I found on the internet, but I still don't understand it.

Can someone explain, how this mode work? Do you know any good sources? Is it correct, that XTS is only used for FDE?

maxeh
  • 356
  • 3
  • 15
  • Could you elaborate what you don't understand from the wiki? – RoraΖ Oct 06 '15 at 11:47
  • In the XTS mode you need 2 Keys (key1, key2) that are created out of the cipher key (splitted in half). If you have a 128 Bit cipher key you will get 2 new 64 Bit keys, but you need key1 to have 128 Bit for the encryption. So how exactly are the keys created? Moreover I don't understand the purpose of the variables "i" and "a" (alpha). What is the value of "i" and "a"? The variable "i" is multiplied by "a" after each block encryption. How does this multiplication work? – maxeh Oct 07 '15 at 06:35

1 Answers1

7

Your last question first; Yes, XTS is only recommended for full-disk encryption. That is what it was designed for by the IEEE Standard 1619.

How does the mode work?

XTS builds on top of XEX designed by Phillip Rogaway and extends this by a tweak value and ciphertext stealing. The mode defined by IEEE uses an AES cipher, in fact AES is used twice. Simplified (without i and alpha), the tweak value is encrypted, then XORed with the plaintext block. That result is then AES encrypted again, this time with the other key and that result is XORed again with the encrypted tweak. This gives you the ciphertext block. Now the tweak is a value that specifies where in the disk block (could be confusing, FDE talks about blocks in the case of cryptography and in the case of disk management). As you can see, there is no direct link of one ciphertext block to the following. This is why some refer to XTS as an ECB-like cipher with some of the negative consequences that come from it.

So how exactly are the keys created?

That's not really the business of XTS, just like with other modes it does not care about how the cryptographic key material is created. However, if you refer to the specialty of the "two key in one", that is a simple split in two half. Since the IEEE standard names AES, the example you gave yourself won't work. In fact, XTS is specified as XTS-256 (2x AES-128) and XTS-512 (2x AES-256).

Further sources

If you would like to read more, I suggest you try to get hold of the IEEE Std. 1619. Otherwise read Phillip Rogaway's Evaluation of Some Blockcipher Modes of Operation, a report wirtten for CRYPTREC 2011.

Zonk
  • 478
  • 2
  • 6