Paper 2013/823
Another Look at XCB
Debrup Chakraborty, Vicente Hernandez-Jimenez, and Palash Sarkar
Abstract
XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and a ``proof'' for justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it. For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher. For such restricted message spaces also, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof. For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved is much worse than what has been claimed by the authors. Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds, both XCBv1 and XCBv2 are worse compared to existing alternative TES.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Keywords
- Mode of operationTweakable enciphering schemeXCBIEEE 1619.2
- Contact author(s)
- debrup @ cs cinvestav mx
- History
- 2013-12-13: revised
- 2013-12-06: received
- See all versions
- Short URL
- https://ia.cr/2013/823
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2013/823, author = {Debrup Chakraborty and Vicente Hernandez-Jimenez and Palash Sarkar}, title = {Another Look at {XCB}}, howpublished = {Cryptology {ePrint} Archive, Paper 2013/823}, year = {2013}, url = {https://eprint.iacr.org/2013/823} }