Journal of Cryptographic Engineering

, Volume 8, Issue 1, pp 49–69 | Cite as

Disk encryption: do we need to preserve length?

  • Debrup Chakraborty
  • Cuauhtemoc Mancillas López
  • Palash Sarkar
Regular Paper


In the last one and a half decade there has been a lot of activity toward development of cryptographic techniques for disk encryption. It has been almost canonized that an encryption scheme suitable for the application of disk encryption must be length preserving, i.e., it rules out the use of schemes such as authenticated encryption where an authentication tag is also produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of a tweakable enciphering scheme (TES) has been formalized as the appropriate primitive for disk encryption, and it has been argued that they provide the maximum security possible for a tagless scheme. On the other hand, TESs are less efficient than some existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags. In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for the purpose of disk encryption. On the negative side, we argue that nonce-based authenticated encryption schemes are not appropriate for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs significantly better than existing TESs and existing DAE schemes.


Storage security Disk encryption Tweakable enciphering scheme Deterministic authenticated encryption 



The authors thank the reviewers for their comments and suggestions.


  1. 1.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21(4), 469–491 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Bernstein, D.J.: Polynomial Evaluation and Message Authentication (2007).
  3. 3.
    Bulens, P., Standaert, F.-X., Quisquater, J.-J., Pellegrin, P., Rouvroy, G.: Implementation of the AES-128 on Virtex-5 FPGAs. In: Vaudenay, S. (ed.) AFRICACRYPT, vol 5023 of Lecture Notes in Computer Science, pp. 16–26. Springer, Berlin (2008)Google Scholar
  4. 4.
    CAESAR. Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  5. 5.
    Chakraborty, D., Hernandez-Jimenez, V., Sarkar, P.: Another look at XCB. Cryptogr. Commun. 7(4), 439–468 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Chakraborty, D., Mancillas-López, C.: Double ciphertext mode: a proposal for secure backup. Int. J. Appl. Cryptogr. 2(3), 271–287 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Chakraborty, D., Mancillas-López, C., Rodríguez-Henríquez, F., Sarkar, P.: Efficient hardware implementations of BRW polynomials and tweakable enciphering schemes. IEEE Trans. Comput. 62(2), 279–294 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Chakraborty, D., Mancillas-López, C., Sarkar, P.: STES: A stream cipher based low cost scheme for securing stored data. IEEE Trans. Comput. 64(9), 2691–2707 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Chakraborty, D., Sarkar, P.: A New Mode of Encryption Providing a Tweakable Strong Pseudo-Random Permutation. In: Robshaw, M.J.B. (ed.) Fast Software Encryption 2006, vol 4047 of Lecture Notes in Computer Science, pp. 293–309. Springer, Berlin (2006)Google Scholar
  10. 10.
    Chakraborty, D., Sarkar, P.: HCH: a new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theory 54(4), 1683–1699 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Chakraborty, D., Sarkar, P.: On modes of operations of a block cipher for authentication and authenticated encryption. IACR Cryptol. ePrint Arch. 2014, 627 (2014)Google Scholar
  12. 12.
    Chicoine, P., Hassner, M., Noblitt, M., Silvus, G., Weber, B., Grochowski, E.: Hard disk drive long data sector white paper. The International Disk Drive Equipments and Materials Association (2007).
  13. 13.
    Ferguson, N.: AES-CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista. Microsoft white paper (2006).
  14. 14.
    Halevi, S.: EME\(^{{*}}\): Extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT, vol 3348 of Lecture Notes in Computer Science, pp. 315–327. Springer, Berlin (2004)Google Scholar
  15. 15.
    Halevi, S.: Invertible universal hashing and the TET encryption mode. In: Menezes, A. (ed.) CRYPTO, vol 4622 of Lecture Notes in Computer Science, pp. 412–429. Springer, Berlin (2007)Google Scholar
  16. 16.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO, vol 2729 of Lecture Notes in Computer Science, pp. 482–499. Springer, Berlin (2003)Google Scholar
  17. 17.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA, vol 2964 of Lecture Notes in Computer Science, pp. 292–304. Springer, Berlin (2004)Google Scholar
  18. 18.
    IEEE Std 1619-2007: Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Computer Society (2008). Available at:
  19. 19.
    IEEE Std 1619.2-2010: IEEE Standard for Wide-block Encryption for Shared Storage Media. IEEE Computer Society, March 2011.
  20. 20.
    Iwata, T., Yasuda, K.: BTM: A single-key, inverse-cipher-free mode for deterministic authenticated encryption. In: Jacobson Jr. M.J., Rijmen, V., Safavi-Naini, R. (eds.) Selected Areas in Cryptography, vol 5867 of Lecture Notes in Computer Science, pp. 313–330. Springer, Berlin (2009)Google Scholar
  21. 21.
    Iwata, T., Yasuda, K.: HBS: A single-key mode of operation for deterministic authenticated encryption. In: Dunkelman, O. (ed.) FSE, vol 5665 of Lecture Notes in Computer Science, pp. 394–415. Springer, Berlin (2009)Google Scholar
  22. 22.
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) Fast Software Encryption—18th International Workshop, FSE 2011, Lyngby, Denmark, February 13–16, 2011, Revised Selected Papers, vol 6733 of Lecture Notes in Computer Science, pp. 306–327. Springer, Berlin (2011)Google Scholar
  23. 23.
    Liskov, M., Minematsu, K.: Comments on XTS-AES. Comments On The Proposal To Approve XTS-AES (2008)Google Scholar
  24. 24.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.)Proceedings of the Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18–22, 2002, vol 2442 of Lecture Notes in Computer Science, pp. 31–46. Springer, Berlin (2002)Google Scholar
  25. 25.
    Mancillas-López, C., Chakraborty, D., Rodríguez-Henríquez, F.: Reconfigurable hardware implementations of tweakable enciphering schemes. IEEE Trans. Comput. 59(11), 1547–1561 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    McGrew, D.A., Fluhrer, S.R.: The Extended Codebook (XCB) Mode of Operation. Cryptology ePrint Archive, Report 2004/278 (2004).
  27. 27.
    McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C.M., Miri, A., Wiener, M.J., (eds.) Selected Areas in Cryptography, vol 4876 of Lecture Notes in Computer Science, pp. 311–327. Springer, Berlin (2007)Google Scholar
  28. 28.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes ocb and pmac. In: Lee, P.J. (ed.) ASIACRYPT, vol 3329 of Lecture Notes in Computer Science, pp. 16–31. Springer, Berlin (2004)Google Scholar
  29. 29.
    Rogaway, P., Bellare, M., Black, J.: OCB: a block-cipher mode of operation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur. 6(3), 365–403 (2003)CrossRefGoogle Scholar
  30. 30.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT, vol 4004 of Lecture Notes in Computer Science, pp. 373–390. Springer, Berlin (2006)Google Scholar
  31. 31.
    Sarkar, P.: Improving upon the TET mode of operation. In: Nam, K.-H., Rhee, G. (eds.) ICISC, vol 4817 of Lecture Notes in Computer Science, pp. 180–192. Springer, Berlin (2007)Google Scholar
  32. 32.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans. Inf. Theory 55(10), 4749–4760 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Sarkar, P.: Tweakable enciphering schemes using only the encryption function of a block cipher. Inf. Process. Lett. 111(19), 945–955 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptogr. Commun. 6(3), 189–231 (2014)Google Scholar
  35. 35.
    S. Technology: Comments on XTS-AES. Comments On The Proposal To Approve XTS-AES (2008)Google Scholar
  36. 36.
    Vasic, B., Despotovic, M., Senk, V.: Recording physics and organization of data on a disk. In: Kurtas, E.M., Vasic, B. (eds.) Coding and Signal Processing for Magnetic Recording Systems, pp. 1–9. CRC Press, Boston (2004)Google Scholar
  37. 37.
    Wang, P., Feng, D., Wu, W.: HCTR: A variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC, vol 3822 of Lecture Notes in Computer Science, pp. 175–188. Springer, Berlin (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Cryptology and Security Research UnitIndian Statistical InstituteKolkataIndia
  2. 2.Department of Computer ScienceCINVESTAV-IPNMexico CityMexico
  3. 3.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations