Akiko Inoue, Kazuhiko Minematsu, Rei Ueno, Naofumi Homma

How to Implement Authenticated Encryption on XTS-Enabled Devices

Introduction

How to implement authenticated encryption on xts-enabled devices. iXTS provides AE for XTS devices. Enhance storage, cloud, and memory security, addressing XTS's limited confidentiality and integrity.

Abstract

XTS is a block cipher mode for storage encryption. IEEE and NIST have standardized it, and it is widely deployed in real-world applications, including FileVault2, Bitlocker, and dm-crypt. However, it is well-known that XTS provides limited confidentiality and no integrity. XTS prevents simple attacks, e.g., information extraction from a stolen device. However, applications of XTS are expanding, such as cloud storage and CPU memory, where this issue implies a significant security threat. To address this issue, we propose iXTS, a family of black-box conversion methods of XTS into an authenticated encryption (AE). To make our proposal usable in practice, we need to assume that the only controllable part of the XTS engine is the plaintext input, because XTS engine’s ciphertext output is typically directly connected to the storage device and we assume the adversary is able to access the device directly, in addition to the black-box access to the engine. It is also desirable that the conversion could be done without the knowledge of the internal XTS key and without touching it. These constraints pose non-trivial technical challenges, and iXTS is the first effective solution meeting these constraints. We prove that each member of iXTS achieves n/2-bit security as a randomized AE using an n-bit block cipher. This security level is equivalent to popular AE modes such as GCM. iXTS is efficient as it requires no additional cryptographic computation beyond the original XTS. Plaintexts are expanded by a small amount, which is necessary for achieving AE. Our benchmarks on Intel platforms with AES-NI demonstrated that iXTS incurs only minor computation overhead from the underlying XTS.

Review

This paper addresses a critical security vulnerability inherent in XTS, a widely adopted block cipher mode for storage encryption standardized by IEEE and NIST. While XTS is prevalent in real-world systems like FileVault2, Bitlocker, and dm-crypt, it is well-established that it offers only limited confidentiality and entirely lacks integrity protection. The abstract effectively highlights that while XTS can prevent simple attacks on stolen devices, its expanding applications, such as in cloud storage and CPU memory, escalate these limitations into significant security threats. The authors propose iXTS, a novel family of black-box conversion methods designed to transform existing XTS implementations into authenticated encryption (AE) schemes, thereby enhancing their security profile. The core technical contribution of iXTS lies in its innovative approach to achieving authenticated encryption under highly constrained practical scenarios. The authors specifically tackle the challenge of working with XTS engines where only the plaintext input is controllable, and the ciphertext output is directly connected to a storage device accessible to an adversary. Furthermore, iXTS is designed to operate without requiring knowledge of or modification to the internal XTS key, a crucial factor for real-world deployment on existing devices. These constraints pose non-trivial technical challenges that, according to the authors, iXTS is the first effective solution to meet. The paper rigorously demonstrates that each member of the iXTS family achieves n/2-bit security as a randomized AE using an n-bit block cipher, a security level comparable to established AE modes like GCM. Beyond its strong theoretical foundations, the proposed iXTS framework emphasizes practical applicability and efficiency. A significant advantage is that it requires no additional cryptographic computation beyond what the original XTS engine already performs, making it highly attractive for retrofitting existing systems. While plaintexts are expanded by a small, necessary amount to achieve authenticated encryption, the computational overhead is shown to be minor. Benchmarks conducted on Intel platforms utilizing AES-NI demonstrate iXTS's impressive performance, reinforcing its viability for real-world deployment. Overall, this paper presents a timely and impactful solution to a well-known security weakness in a ubiquitous encryption standard, offering a provably secure and highly efficient path to integrity-protected storage encryption without requiring fundamental changes to existing hardware or software.

Full Text

Comments

You need to be logged in to post a comment.