XTS Mode Revisited: High Hopes for Key Scopes?

Basic Information

• Paper ID: 2502.18631
• Title: XTS mode revisited: high hopes for key scopes?
• Authors: Milan Brož (Cryptsetup project, Masaryk University), Vladimír Sedláček (Masaryk University)
• Classification: cs.CR (Cryptography and Security)
• Publication Date: October 30, 2025 (arXiv preprint)
• Paper Link: https://arxiv.org/abs/2502.18631

Abstract

This paper provides a concise summary of the XTS block cipher mode employed in sector-based storage encryption applications and elucidates its limitations. Specifically, the paper aims to establish a unified discussion foundation regarding the key scope modifications newly introduced in the IEEE 1619 standard. The article further reflects on potential wide-block cipher modes that may supersede XTS in the future.

Research Background and Motivation

Problem Context

1. Standardization Dilemma: Since the introduction of XTS mode in 2007, it has been widely adopted by BitLocker, VeraCrypt, Cryptsetup, and TCG Opal, yet numerous misconceptions and controversies persist regarding the mode
2. Documentation Accessibility Issue: The existing NIST XTS-AES recommendation only references the paid version of the IEEE standard, making it the sole NIST cryptographic primitive without publicly available documentation
3. Compliance Crisis: The key scope modifications newly introduced in the IEEE 1619-2025 standard will render the vast majority of existing implementations non-compliant, forcing vendors to undertake substantial modifications

Research Motivation

1. Unified Terminology: Provide theoreticians and practitioners with easily comprehensible unified definitions of XTS terminology
2. Clarify Controversies: Explicitly delineate the security limitations of XTS, particularly regarding key scopes, maximum sector sizes, and distinct key requirements
3. Facilitate Discussion: Encourage open constructive dialogue to influence future requirements and recommendations

Core Contributions

1. Provides a unified formal definition of XTS mode, balancing theoretical rigor with practical application requirements
2. Systematically analyzes the security limitations of XTS, including key scopes, sector size constraints, and key independence requirements
3. Thoroughly explores the implications and implementation challenges of key scope modifications in the IEEE 1619-2025 standard
4. Evaluates potential wide-block cipher modes as future alternatives to XTS, providing guidance for long-term development

Methodology Details

Problem Definition

This paper revisits the XTS (XEX-based tweaked-codebook mode with ciphertext stealing) block cipher mode for sector-based storage device encryption, where the input is plaintext sector data and the output is ciphertext data of identical length.

XTS Mode Architecture

Core Definition

The XTS encryption mode employs two symmetric keys K and K_T to encrypt sectors using a block cipher E with 128-bit block size:

C_{N,j} := E_K(P_{N,j} ⊕ T_{N,j}) ⊕ T_{N,j}

Where:

• T_{N,j} := E_{K_T}(N) · α^j is the tweak value
• α is an element x in the finite field F₂¹²⁸
• N is the sector number, j is the block number within the sector

Distinctions from XEX

1. Dual-Key Design: XTS employs two distinct symmetric keys (K for data encryption, K_T for sector number encryption), whereas XEX uses a single key
2. Index Initialization: XTS begins from j=0, while XEX begins from j=1
3. Ciphertext Stealing: XTS permits ciphertext stealing to handle data that is not a multiple of block size

Finite Field Operations

The multiplication operation α corresponds to left-shift operations:

• When a₁₂₇=0: s·α = a₁₂₆a₁₂₅...a₁a₀0
• When a₁₂₇=1: s·α = a₁₂₆a₁₂₅...a₁a₀0 ⊕ 10000111

Threat Model Analysis

Baseline Threat Model

1. "Stolen Device" Model: The adversary has access only to a single ciphertext snapshot
2. TCG Opal Definition: Protects the confidentiality of stored user data, preventing unauthorized access after the device leaves the owner's control

Enhanced Threat Model

1. Repeated Access: The adversary can manipulate ciphertext following repeated access
2. Traffic Analysis: Considers storage scenarios of encrypted images in cloud environments
3. Chosen Ciphertext Attack (CCA): The adversary can query both encryption and decryption oracles

Security Limitation Analysis

Key Scope Limitations

New Standard Requirements

The IEEE 1619-2025 standard stipulates that the maximum number of 128-bit blocks within a key scope is 2³⁶ to 2⁴⁴, namely:

• For fixed XTS keys (K, K_T): S·J ≤ 2³⁶ or S·J ≤ 2⁴⁴
• Corresponding data volumes: 1 TiB to 256 TiB

Security Analysis

Security risks exist when the following condition is satisfied:

P_{N,j} ⊕ T_{N,j} = P_{N',j'} ⊕ T_{N',j'}

Collision probability estimation:

• 1 TiB data: probability approximately 2⁻⁵⁶
• 256 TiB data: probability approximately 2⁻⁴⁰

Maximum Sector Size Limitation

• IEEE 1619 stipulates: The number of 128-bit blocks within a sector shall not exceed 2²⁰ (16 MiB)
• Rarely becomes problematic in practical applications (typical sector size ≤ 4 KiB)

Key Independence Requirement

• FIPS 140-3 mandates K ≠ K_T
• Prevents specific chosen ciphertext attacks

Implementation Strategy Discussion

Key Scope Implementation Strategies

Linear Approach

• Each XTS key sequentially encrypts at most 2⁴⁴ plaintext blocks
• Advantages: Simple implementation
• Disadvantages: Non-uniform key utilization, complex device resizing

Rotation Approach

• Encrypts the N-th sector using the (N mod m)-th XTS key
• Advantages: Uniform key utilization, supports dynamic resizing
• Disadvantages: Requires predefined maximum device size

Key Generation and Management

• Must all keys be generated using approved random number generators?
• Can they be derived from a master key?
• How is it determined which key is used for a specific sector?

Future Development Directions

Limitations of XTS

XTS, like other traditional modes (ECB, CBC, etc.), cannot provide complete diffusion (where each ciphertext bit depends on each plaintext bit) when encrypting data exceeding several blocks.

Alternative Candidate Evaluation

Wide-Block Cipher Mode Candidates

1. EME2: Based on EME design, standardized in IEEE 1619.2, but not widely adopted due to patent concerns
2. Adiantum: Developed by Google, suitable for low-end systems without AES hardware acceleration
3. HCTR2: Constructed based on CTR mode, excellent performance and conservative
4. bbb-ddd-AES: A new mode based on double-deck construction, providing security beyond the birthday bound

Double-Deck Framework

• Flexible framework for constructing wide-block cipher modes with superior properties
• Provides stronger security when the number of tweak reuses is bounded
• Suitable for SSD hardware's limited lifespan and wear-leveling characteristics

Conclusions and Discussion

Main Conclusions

1. Standardization Impact: The key scope modifications in IEEE 1619-2025 will have significant implications for the entire ecosystem
2. Threat Model Diversity: Different application scenarios require consideration of different threat models
3. Implementation Complexity: The introduction of key scopes increases implementation complexity and error potential

Critical Questions

1. Is key scope necessary under weaker threat models?
2. Is key scope sufficient under stronger threat models?
3. Do XTS strengthening schemes exist that do not employ key scopes?
4. How should the implementation details of key scopes be standardized?

Long-Term Recommendations

• Short-term: Maintain XTS constraints in a sustainable state, supporting legacy systems
• Long-term: Focus on newer constructions, such as the double-deck framework

In-Depth Evaluation

Strengths

1. Strong Practicality: Directly addresses standardization issues faced by industry
2. Comprehensive Analysis: Systematically analyzes various aspects and limitations of XTS
3. Forward-Looking: Provides deep reflection on future development directions
4. Balanced Approach: Reconciles theoretical rigor with practical application requirements

Limitations

1. Lack of Experimental Validation: Primarily theoretical analysis, lacking performance comparison experiments
2. Limited Impact on Standard-Setting: As an academic paper, its direct influence on standard-setting may be limited
3. Insufficient Implementation Details: Descriptions of specific implementation schemes for key scopes are relatively general

Impact and Significance

1. Academic Value: Provides an important unified foundation for XTS mode research
2. Industrial Significance: Offers important reference for standard-setting and implementation
3. Timeliness: Timely responds to controversies surrounding IEEE 1619-2025 standard modifications

Applicable Scenarios

1. Standards-Setting Organizations: Provides reference for IEEE, NIST, and other standard-setting bodies
2. Cryptographic Software Developers: Provides guidance for implementing XTS and its alternatives
3. Security Researchers: Provides foundation for further security analysis

References

The paper cites 30 important references, including:

• IEEE 1619 series standard documents
• Rogaway's original XEX papers and analyses
• NIST-related standards and guidance documents
• Major wide-block cipher mode research papers
• Industrial implementation projects (BitLocker, VeraCrypt, etc.)

Overall Assessment: This is a timely and important paper that systematically analyzes the current state and future development of XTS mode. The paper not only clarifies technical details but, more importantly, proposes a constructive discussion framework that holds significant importance for promoting the healthy development of storage encryption standards.