===== NIST: SP 800-34E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices =====
[[dido:public:ra:xapend:xapend.b_stds:tech:nist:start| return to the NIST Standards ]]

<table>
<caption>Data sheet for Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices</caption>
| Title                      | Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices |
| Acronym                    | XTS-AES |
| Version                    | 2010 |
| Series                     | SP   |
| Document Number            | SP 800-38E  |
| Release Date               | January 2010  |
| Download                   | [[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38e.pdf]] |
</table>

  : **Note**: The following is an excerpt from the official NIST catalog. It is provided here as a convenience and is not authoritative. Refer to the original document as the authoritative reference.

==== Introduction ====


The XTS-AES algorithm is a mode of operation of the Advanced Encryption Standard (AES) ((
Federal Information Processing Standards (FIPS) Publication 197, Announcing the 
Advanced Encryption Standard (AES), U.S. DoC/NIST, Nov. 26, 2001. 
)) 
algorithm.    The  Security  in  Storage  Working  Group  (SISWG)  of  the  P1619  Task  Group  of  the  
Institute of Electrical and Electronics Engineers, Inc (IEEE) developed and specified XTS-AES 
in IEEE Std. 1619-2007 ((
IEEE  Std  1619-2007,  The  XTS-AES  Tweakable  Block  Cipher,  Institute  of  Electrical  and  
Electronics Engineers, Inc., Apr. 18, 2008.
)) .  This Recommendation approves the XTS-AES mode as specified in 
that  standard,  subject  to  one  additional  requirement  on  the  lengths  of  the  data  units,  which  is  
discussed in Section 4 below.     
 
The  XTS-AES  mode  was  designed  for  the  cryptographic  protection  of  data  on  storage  devices  
that  use  of  fixed  length  “data  units,”  as  defined  in  Ref.  ((
IEEE  Std  1619-2007,  The  XTS-AES  Tweakable  Block  Cipher,  Institute  of  Electrical  and  
Electronics Engineers, Inc., Apr. 18, 2008.
)) .    Note  that  other  approved  
cryptographic  algorithms  continue  to  be  approved  for  such  devices.    The  XTS-AES  mode  was  
not designed for other purposes, such as the encryption of data in transit. 
 

The  XTS-AES  mode  is  an  instantiation  of  Rogaway’s  XEX  (XOR  Encrypt  XOR)  tweakable  
block cipher ((
P.  Rogaway,  Efficient  Instantiations  of  Tweakable  Blockciphers  and  Refinements  to  
Modes  OCB  and  PMAC,  Advances  in  Cryptology—Asiacrypt  2004,    Lecture  Notes  in  
Computer Science, vol. 3329, pp. 16-31,  Springer-Verlag, 2004
)), supplemented with a method called “ciphertext stealing” to extend the domain 
of  possible  input  data  strings.    In  particular,  XEX  can  only  encrypt  sequences  of  complete  
blocks, i.e., any data string that is an integer multiple of 128 bits; whereas for XTS-AES, the data 
string may also consist of one or more complete blocks followed by a single, non-empty partial
block.    (The  acronym  XTS  stands  for  the  XEX  Tweakable  Block  Cipher  with  Ciphertext  
Stealing). 
 
The specification of the ciphertext stealing method in Ref.((
IEEE  Std  1619-2007,  The  XTS-AES  Tweakable  Block  Cipher,  Institute  of  Electrical  and  
Electronics Engineers, Inc., Apr. 18, 2008.
))  includes an ordering convention for 
the final complete block and partial block of the encrypted data string.  A different convention, in 
which  the  order  is  swapped,  may  be  desirable  in  some  cases.    The  specification  in  Ref.((
IEEE  Std  1619-2007,  The  XTS-AES  Tweakable  Block  Cipher,  Institute  of  Electrical  and  
Electronics Engineers, Inc., Apr. 18, 2008.
))  
provides  flexibility  in  the  physical  location  of  these  elements,  as  long  as  interoperability  is  not  
compromised, as discussed in Section 5. 

The  XTS-AES  mode  provides  confidentiality  for  the  protected  data.    Authentication  is  not  
provided, because the P1619 Task Group designed XTS-AES to provide encryption without data 

expansion,  so  alternative  cryptographic  methods  that  incorporate  an  authentication  tag  are  
precluded.  In the absence of authentication or access control, XTS-AES provides more 
protection than the other approved confidentiality-only modes against unauthorized manipulation 
of the encrypted data.    

Annex  D  of  Ref.((
IEEE  Std  1619-2007,  The  XTS-AES  Tweakable  Block  Cipher,  Institute  of  Electrical  and  
Electronics Engineers, Inc., Apr. 18, 2008.
))   discusses  in  detail  the  design  choices  for  XTS,  including  the  resistance  to  
manipulation  of  the  encrypted  data,  and  their  ramifications  for  the  incorporation  of  XTS-AES  
into  an  information  system.    Prospective  implementers  of  XTS-AES  should  consider  this  
information  carefully  to  ensure  that  XTS-AES  is  an  appropriate  solution  for  a  given  threat  
model.


/**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/* To add a discussion page to this page, comment out the line that says 
  ~~DISCUSSION:off~~
*/
~~DISCUSSION:on|Outstanding Issues~~
~~DISCUSSION:off~~