## Cryptology ePrint Archive: Report 2019/825

Plaintext Recovery Attacks against XTS Beyond Collisions

Takanori Isobe and Kazuhiko Minematsu

Abstract: XTS is an encryption scheme for storage devices standardized by IEEE and NIST. It is based on Rogaway's XEX tweakable block cipher and is known to be secure up to the collisions between the blocks, thus up to around $2^{n/2}$ blocks for $n$-bit blocks. However this only implies that the theoretical indistinguishability notion is broken with $O(2^{n/2})$ queries and does not tell the practical risk against the plaintext recovery if XTS is targeted. We show several plaintext recovery attacks against XTS beyond collisions, and evaluate their practical impacts.

Category / Keywords: secret-key cryptography / XTS, Storage encryption, Mode of operation, Even-Mansour Cipher

Original Publication (in the same form): SAC 2019