Paper 2016/1114

Full Disk Encryption: Bridging Theory and Practice

Louiza Khati, Nicky Mouha, and Damien Vergnaud


We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MAJOR revision.CT-RSA 2017: Topics in Cryptology -- CT-RSA 2017
disk encryption theoryfull disk encryptionFDEXTSIEEE P1619unique first blockdiversifierprovable security
Contact author(s)
nicky @ mouha be
2017-02-22: revised
2016-11-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Louiza Khati and Nicky Mouha and Damien Vergnaud},
      title = {Full Disk Encryption: Bridging Theory and Practice},
      howpublished = {Cryptology ePrint Archive, Paper 2016/1114},
      year = {2016},
      doi = {10.1007/978-3-319-52153-4_14},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.