Paper 2015/594

Disk Encryption: Do We Need to Preserve Length?

Debrup Chakraborty, Cuauhtemoc Mancillas-Lopez, and Palash Sarkar

Abstract

In the last one-and-a-half decade there has been a lot of activity towards development of cryptographic techniques for disk encryption. It has been almost canonised that an encryption scheme suitable for the application of disk encryption must be length preserving, i.e., it rules out the use of schemes like authenticated encryption where an authentication tag is also produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of a tweakable enciphering scheme (TES) has been formalised as the appropriate primitive for disk encryption and it has been argued that they provide the maximum security possible for a tag-less scheme. On the other hand, TESs are less efficient than some existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags. In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for the purpose of disk encryption. On the negative side, we argue that nonce based authenticated encryption schemes are not appropriate for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs significantly better than existing TESs and existing DAE schemes.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
Disk encryptionTweakable Enciphering SchemesDeterministic Authenticated Encryption.
Contact author(s)
debrup @ cs cinvestav mx
History
2015-06-21: received
Short URL
https://ia.cr/2015/594
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/594,
      author = {Debrup Chakraborty and Cuauhtemoc Mancillas-Lopez and Palash Sarkar},
      title = {Disk Encryption: Do We Need to Preserve Length?},
      howpublished = {Cryptology ePrint Archive, Paper 2015/594},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/594}},
      url = {https://eprint.iacr.org/2015/594}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.