3544:
1858:
1750:
60:
1346:. This mode of operation needs only a single encryption per block and protects against all the above attacks except a minor leak: if the user changes a single plaintext block in a sector then only a single ciphertext block changes. (Note that this is not the same leak the ECB mode has: with LRW mode equal plaintexts in different positions are encrypted to different ciphertexts.)
371:
1386:), was designed by Rogaway to allow efficient processing of consecutive blocks (with respect to the cipher used) within one data unit (e.g., a disk sector). The tweak is represented as a combination of the sector address and index of the block within the sector (the original XEX mode proposed by Rogaway allows several indices). The ciphertext,
3537:
308:, since stream ciphers require, for their security, that the same initial state not be used twice (which would be the case if a sector is updated with different data); thus this would require an encryption method to store separate initial states for every sector on disk—seemingly a waste of space. The alternative, a
898:
While CBC (with or without ESSIV) ensures confidentiality, it does not ensure integrity of the encrypted data. If the plaintext is known to the adversary, it is possible to change every second plaintext block to a value chosen by the attacker, while the blocks in between are changed to random values.
559:
the IVs are predictable, then an adversary may leave a "watermark" on the disk, i.e., store a specially created file or combination of files identifiable even after encryption. The exact method of constructing the watermark depends on the exact function providing the IVs, but the general recipe is to
331:
These three properties do not provide any assurance of disk integrity; that is, they don't tell you whether an adversary has been modifying your ciphertext. In part, this is because an absolute assurance of disk integrity is impossible: no matter what, an adversary could always revert the entire disk
1983:
The mode is susceptible to traffic analysis, replay and randomization attacks on sectors and 16-byte blocks. As a given sector is rewritten, attackers can collect fine-grained (16 byte) ciphertexts, which can be used for analysis or replay attacks (at a 16-byte granularity). It would be possible to
1963:
then any ciphertext (original or modified by attacker) will be decrypted as some plaintext and there is no built-in mechanism to detect alterations. The best that can be done is to ensure that any alteration of the ciphertext will completely randomize the plaintext, and rely on the application that
356:
Disk encryption methods are also distinguished into "narrow-block" and "wide-block" methods. For a sector-sized plaintext, narrow-block method encrypts it in multiple blocks, while a wide-block methods does it in just one. Narrow-block methods such as LRW, XES, and XTS allow an attacker to exploit
3447:
1992:
CMC and EME protect even against the minor leak mentioned above for LRW. Unfortunately, the price is a twofold degradation of performance: each block must be encrypted twice; many consider this to be too high a cost, since the same leak on a sector level is unavoidable anyway.
3535:
1525:
178:; no two sectors should be processed in exactly the same way. Otherwise, the adversary could decrypt any sector of the disk by copying it to an unused sector of the disk and requesting its decryption. Whereas a purpose of a usual block cipher
1123:
1880:) to 2 AES blocks. According to SP 800-38E, "In the absence of authentication or access control, XTS-AES provides more protection than the other approved confidentiality-only modes against unauthorized manipulation of the encrypted data."
1867:
released
Special Publication (SP) 800-38E in final form. SP 800-38E is a recommendation for the XTS-AES mode of operation, as standardized by IEEE Std 1619-2007, for cryptographic modules. The publication approves the XTS-AES mode of the
1298:
870:
2620:
2791:
HCTR and HCTR2 uses a custom block cipher mode of operation called XCTR; AES-128-XCTR is usually used for HCTR2. HCTR2 uses a polynomial hash function called POLYVAL. HCTR2 is efficient on modern processors with an
743:
To protect against the watermarking attack, a cipher or a hash function is used to generate the IVs from the key and the current sector number, so that an adversary cannot predict the IVs. In particular, the
1774:-256 and AES-128 encryption must supply 512 bits and 256 bits of key respectively. The two keys (i.e., both halves of the XTS key) must be distinct for XTS to be CCA-secure, since XTS computes the sequence
348:, which takes extra space in exchange for guaranteeing the integrity of the sector. One application of this guarantee would be to prevent an attacker from triggering kernel bugs by breaking the filesystem.
2783:
HCTR (2005) is mode of operation for block ciphers that is length-preserving, wide-block, and tweakable. It, however, has a bug in the specification and another in its security proof, rendering its claimed
1964:
uses this transform to include sufficient redundancy in its plaintext to detect and discard such random plaintexts." This would require maintaining checksums for all data and metadata on disk, as done in
1959:
XTS mode is susceptible to data manipulation and tampering, and applications must employ measures to detect modifications of data if manipulation and tampering is a concern: "...since there are no
2698:
2262:
684:
1417:
1038:
2107:
163:
A method provides good confidentiality if the only information such an adversary can determine over time is whether the data in a sector has or has not changed since the last time they looked.
2484:
513:
2363:
764:
to use in disk encryption. The usual methods for generating IVs are predictable sequences of numbers based on, for example, time stamp or sector number, and permit certain attacks such as a
1210:
413:, which allow encrypting larger amounts of data than the ciphers' block-size (typically 128 bits). Modes are therefore rules on how to repeatedly apply the ciphers' single-block operations.
1412:
1770:. The XTS standard requires using a different key for the IV encryption than for the block encryption; this differs from XEX which uses only a single key. As a result, users wanting
1212:
for AES). With some precomputation, only a single multiplication per sector is required (note that addition in a binary finite field is a simple bitwise addition, also known as xor):
332:
to a prior state, circumventing any such checks. If some non-absolute level of disk integrity is desired, it can be achieved within the encrypted disk on a file-by-file basis using
1633:
2419:
2311:
1324:
2742:
2528:
2046:
2788:
invalid. HCTR2 (2021) is a variant that fixes these issues and improves on security, performance, and flexibility. HCTR2 is available in the Linux kernel since version 6.0.
907:
The tweakable narrow-block encryption (LRW) is an instantiation of the mode of operations introduced by Liskov, Rivest, and Wagner (see
Theorem 2). This mode uses two keys:
357:
the block granularity to perform traffic analysis and replay. A wide-block cipher ideally makes the entire ciphertext unrecognizable for a change anywhere in the plaintext.
2950:
1799:
2187:
1033:
259:
34:
protection when the storage medium is a sector-addressable device (e.g., a hard disk). This article presents cryptographic aspects of the problem. For an overview, see
3673:
2835:
In 2023, Aldo
Gunsing, Joan Daemen and Bart Mennink presented the "double-decker" construction, which also uses a stream cipher. It is again tweakable and wide-block.
1766:
provides support for sectors with size not divisible by block size, for example, 520-byte sectors and 16-byte blocks. XTS-AES was standardized on
December 19, 2007 as
1146:
2808:
The HBSH (hash, block cipher, stream cipher, hash) construction, published by Google employees in 2018, allow a fast stream cipher to be used in disk encryption. The
1731:
1705:
1595:
1344:
1166:
768:. ESSIV prevents such attacks by generating IVs from a combination of the sector number SN with the hash of the key. It is the combination with the key in form of a
344:
Although it used to be commonly accepted that disk encryption should be length-preserving, some additional features do justify the use of extra space. One example is
1215:
550:
2138:
738:
711:
612:
585:
203:
3300:
1851:
1825:
740:, leaving a watermark on the disk. The exact pattern of "same-different-same-different" on disk can then be altered to make the watermark unique to a given file.
778:
2766:
1872:
algorithm by reference to the IEEE Std 1619-2007, subject to one additional requirement, which limits the maximum size of each encrypted data unit (typically a
1679:
1653:
1573:
1551:
1404:
1025:
1005:
985:
965:
945:
925:
299:
279:
223:
2851:
provides encryption as well as an authentication tag, the encryption component of the IAPM mode completely describes the LRW and XEX schemes above, and hence
2828:. The construction is tweakable and wide-block. It requires three passes over the data, but is still faster than AES-128-XTS on a ARM Cortex-A7 (which has no
3112:
137:
The encryption method should not waste disk space (i.e., the amount of storage used for encrypted data should not be significantly larger than the size of
174:
bits) long, which are encrypted and decrypted independently of each other. In turn, if the data is to stay confidential, the encryption method must be
3806:
2970:
3801:
3576:
81:
2143:
In order to solve this problem, Halevi and
Rogaway introduced a parallelizable variant called EME (ECB–mask–ECB). It works in the following way:
3081:
3682:
3235:
3182:
3199:
2533:
43:
149:
from whom the data is being kept confidential. The strongest adversaries studied in the field of disk encryption have these abilities:
3343:
3275:
3534:* U.S. Patent 6,963,976, "Symmetric Key Authenticated Encryption Schemes" (filed Nov. 2000, issued Nov. 2005, expires 25 Nov. 2022)
3414:
107:
3631:
3585:
3009:
3594:
313:
85:
617:
3605:
2817:
1869:
1771:
333:
440:
2628:
2192:
1888:
879:
since version 2.6.10, though a similar scheme has been used to generate IVs for OpenBSD's swap encryption since 2000.
769:
389:
1175:
70:
1520:{\displaystyle {\begin{aligned}X&=E_{K}(I)\otimes \alpha ^{j},\\C&=E_{K}(P\oplus X)\oplus X,\end{aligned}}}
89:
74:
3110:
2910:
312:, is limited to a certain block size (usually 128 or 256 bits). Because of this, disk encryption chiefly studies
2316:
3796:
2883:
2878:
2844:
2110:
1383:
1377:
345:
146:
39:
3768:
3449:
Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher
2051:
3294:"Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices"
1996:
CMC, introduced by Halevi and
Rogaway, stands for CBC–mask–CBC: the whole sector encrypted in CBC mode (with
2427:
1169:
2109:, and re-encrypted in CBC mode starting from the last block. When the underlying block cipher is a strong
1600:
3293:
3697:
3653:
3316:
3159:
2368:
757:
519:
422:
3055:
2113:(PRP) then on the sector level the scheme is a tweakable PRP. One problem is that in order to decrypt
1303:
3638:
3031:
2703:
2489:
2270:
1999:
1980:
only metadata is protected against tampering, while the detection of data tampering is non-existent.
1877:
2856:
2829:
2793:
1763:
1742:
765:
321:
1118:{\displaystyle {\begin{aligned}X&=F\otimes I,\\C&=E_{K}(P\oplus X)\oplus X.\end{aligned}}}
38:. For discussion of different software packages and hardware devices devoted to this problem, see
3742:
3462:
Wang, Peng; Feng, Dengguo; Wu, Wenling (2005). "HCTR: A Variable-Input-Length
Enciphering Mode".
3245:
3203:
2797:
1960:
1912:
1777:
2150:
383:
3626:, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and
1293:{\displaystyle F\otimes I=F\otimes (I_{0}\oplus \delta )=F\otimes I_{0}\oplus F\otimes \delta }
304:
The third property is generally non-controversial. However, it indirectly prohibits the use of
232:
3615:
3231:
3178:
2809:
1131:
324:, which cannot be tweaked, and modes that turn block ciphers into stream ciphers, such as the
1710:
1684:
1580:
1329:
1151:
3734:
3515:
3471:
3393:
3304:
3223:
3170:
2911:"The Strange State of Authenticated Boot and Disk Encryption on Generic Linux Distributions"
2873:
525:
3347:
2932:
2116:
865:{\displaystyle IV({\textrm {SN}})=E_{s}({\text{SN}}),\ {\text{where}}\ s={\text{hash}}(K).}
716:
689:
590:
563:
181:
134:
and storage should both be fast operations, no matter where on the disk the data is stored.
3710:
3666:
3609:
3541:
3368:
3329:
3257:
3138:"Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC"
3116:
1920:
125:
35:
3423:
1830:
1804:
947:
is an additional key of the same size as block. For example, for AES with a 256-bit key,
3137:
3002:
388:
Please expand the article to include this information. Further details may exist on the
3623:
2978:
2868:
2785:
2751:
1984:
define sector-wide block ciphers, unfortunately with degraded performance (see below).
1745:(GCM), thus permitting a compact implementation of the universal LRW/XEX/GCM hardware.
1664:
1638:
1558:
1536:
1389:
1010:
990:
970:
950:
930:
910:
320:. The considerations already listed make several well-known chaining modes unsuitable:
305:
284:
264:
208:
131:
3642:
3094:
Latest SISWG and IEEE P1619 drafts and meeting information are on the P1619 home page
3790:
3627:
3575:
Standard
Architecture for Encrypted Shared Storage Media, IEEE Project 1619 (P1619),
1932:
3219:
IEEE Standard for
Cryptographic Protection of Data on Block-Oriented Storage Devices
2859:
aspect. This is described in detail in
Figures 8 and 5 of the US patent 6,963,976.
899:
This can be used for practical attacks on disk encryption in CBC or CBC-ESSIV mode.
3746:
3570:
1857:
1749:
1738:
876:
761:
431:
325:
309:
31:
3520:
3507:
3227:
159:
and they can modify unused sectors on the disk and then request their decryption.
156:
they can request the disk to encrypt and store arbitrary files of their choosing;
3619:
3174:
2848:
1873:
317:
59:
3718:
Chakraborty, Debrup; LĂłpez, Cuauhtemoc Mancillas; Sarkar, Palash (April 2018).
3603:
3416:
Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices
3217:
3738:
2888:
1940:
1767:
1350:
409:
Like most encryption schemes, block cipher-based disk encryption makes use of
3689:
3683:"AES-CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista"
3308:
1948:
1944:
1936:
1908:
1904:
1884:
1357:
745:
430:(CBC) is a common chaining mode in which the previous block's ciphertext is
138:
2971:"Secret Messages: Hard disk encryption with DM-Crypt, LUKS, and cryptsetup"
370:
518:
Since there isn't a "previous block's ciphertext" for the first block, an
2825:
2775:. EME is patented, and so is not favored to be a primary supported mode.
1900:
1896:
1365:
1361:
887:
883:
875:
ESSIV was designed by Clemens Fruhwirth and has been integrated into the
3475:
17:
3719:
2821:
1928:
1924:
1916:
3169:. Lecture Notes in Computer Science. Vol. 4356. pp. 96–113.
382:
about XCB, which is found in IEEE-std 1619.2 2010; somewhat known for
3082:"Practical malleability attack against CBC-encrypted LUKS partitions"
3040:
1892:
3492:
2615:{\textstyle C'_{0}=M_{C}\oplus I\oplus \bigoplus _{i=1}^{k-1}C'_{i}}
3772:
3508:"Adiantum: length-preserving encryption for entry-level processors"
2958:. The Third NIST Workshop on Block Cipher Modes of Operation 2023.
2772:
1969:
120:
Disk encryption methods aim to provide three distinct properties:
2813:
1977:
1973:
1864:
2189:, shifted by different amount to the left, and are encrypted:
1965:
1759:
XEX-based tweaked-codebook mode with ciphertext stealing (XTS)
748:
approach uses a block cipher in CTR mode to generate the IVs.
364:
53:
3056:"DMCrypt dm-crypt: Linux kernel device-mapper crypto target"
2891:, standardization project for encryption of the storage data
2812:
scheme used in low-end Android devices specifically chooses
316:, which expand the encryption block length to cover a whole
166:
The second property requires dividing the disk into several
1353:, and this mode of operation has now been replaced by XTS.
560:
create two encrypted sectors with identical first blocks
3761:
3632:"Lest We Remember: Cold Boot Attacks on Encryption Keys"
2748:
Note that unlike LRW and CMC there is only a single key
1681:
is the number of the block within the sector. XEX uses
153:
they can read the raw contents of the disk at any time;
2969:
Fruhwirth, Clemens; Schuster, Markus (December 2005).
2832:). It is available in Linux kernel since version 5.0.
2536:
2430:
2319:
2273:
434:
with the current block's plaintext before encryption:
2754:
2706:
2631:
2492:
2371:
2195:
2153:
2140:
one must sequentially pass over all the data twice.
2119:
2054:
2002:
1833:
1807:
1780:
1741:
multiplication) are the same as the ones used in the
1737:
The basic operations of the LRW mode (AES cipher and
1713:
1687:
1667:
1641:
1603:
1583:
1561:
1539:
1415:
1392:
1332:
1306:
1218:
1178:
1154:
1134:
1036:
1013:
993:
973:
953:
933:
913:
781:
719:
692:
679:{\displaystyle b_{1}\oplus IV_{1}=b_{2}\oplus IV_{2}}
620:
593:
566:
528:
443:
287:
267:
235:
211:
184:
3095:
261:
is to mimic a random permutation for any secret key
205:
is to mimic a random permutation for any secret key
2771:CMC and EME were considered for standardization by
752:
Encrypted salt-sector initialization vector (ESSIV)
552:. This, in turn, makes CBC tweakable in some ways.
3592:Draft Proposal for Tweakable Wide-block Encryption
3422:, IEEE P1619/D16, 2007, p. 34, archived from
2760:
2736:
2692:
2614:
2522:
2478:
2413:
2357:
2305:
2256:
2181:
2132:
2101:
2040:
1845:
1819:
1793:
1725:
1699:
1673:
1647:
1627:
1589:
1567:
1545:
1519:
1398:
1338:
1318:
1292:
1204:
1160:
1140:
1117:
1019:
999:
979:
959:
939:
919:
864:
732:
705:
678:
606:
579:
544:
507:
293:
273:
253:
217:
197:
3720:"Disk encryption: do we need to preserve length?"
3506:Crowley, Paul; Biggers, Eric (13 December 2018).
3274:Liskov, Moses; Minematsu, Kazuhiko (2008-09-02).
3160:"Improved Security Analysis of XEX and LRW Modes"
1972:. However, in commonly used file systems such as
508:{\displaystyle C_{i}=E_{K}(C_{i-1}\oplus P_{i}).}
3601:Encrypted Storage — Challenges and Methods
2693:{\displaystyle C_{i}=E_{K}(C'_{i})\oplus 2^{i}L}
2257:{\displaystyle P'_{i}=E_{K}(P_{i}\oplus 2^{i}L)}
1205:{\displaystyle {\text{GF}}\left(2^{128}\right)}
3301:National Institute of Standards and Technology
3131:
3129:
3127:
3125:
614:; these two are then related to each other by
3200:"IEEE Approves Standards for Data Encryption"
555:CBC suffers from some problems. For example,
8:
3202:. IEEE Standards Association. Archived from
2926:
2924:
2358:{\textstyle M_{P}=I\oplus \bigoplus P'_{i}}
2048:), the ciphertext is masked by xoring with
1326:are precomputed for all possible values of
88:. Unsourced material may be challenged and
340:When taking additional space is acceptable
3672:CS1 maint: multiple names: authors list (
3519:
3512:IACR Transactions on Symmetric Cryptology
3493:"Length-preserving encryption with HCTR2"
3269:
3267:
2949:Aldo Gunsing; Joan Daemen; Bart Mennink.
2931:Thomas Ptacek; Erin Ptacek (2014-04-30).
2753:
2705:
2681:
2662:
2649:
2636:
2630:
2603:
2587:
2576:
2557:
2541:
2535:
2491:
2467:
2451:
2435:
2429:
2402:
2389:
2376:
2370:
2346:
2324:
2318:
2297:
2284:
2272:
2242:
2229:
2216:
2200:
2194:
2164:
2152:
2124:
2118:
2081:
2065:
2053:
2023:
2007:
2001:
1988:CBC–mask–CBC (CMC) and ECB–mask–ECB (EME)
1832:
1806:
1785:
1779:
1712:
1686:
1666:
1640:
1616:
1604:
1602:
1582:
1560:
1538:
1483:
1456:
1434:
1416:
1414:
1391:
1331:
1305:
1272:
1244:
1217:
1192:
1179:
1177:
1153:
1133:
1081:
1037:
1035:
1012:
992:
972:
952:
932:
912:
845:
831:
817:
808:
792:
791:
780:
724:
718:
697:
691:
670:
654:
641:
625:
619:
598:
592:
571:
565:
533:
527:
493:
474:
461:
448:
442:
286:
266:
245:
240:
234:
210:
189:
183:
108:Learn how and when to remove this message
3487:
3485:
2102:{\displaystyle 2(C'_{0}\oplus C'_{k-1})}
1827:; this differs from XEX which starts at
1382:Another tweakable encryption mode, XEX (
145:The first property requires defining an
3563:, CRYPTO '03 (LNCS, volume 2729), 2003.
3452:, US Patent Application 20040131182 A1.
3147:(PDF). University of California, Davis.
3119:, CRYPTO '02 (LNCS, volume 2442), 2002.
2901:
2479:{\textstyle C'_{i}=P'_{i}\oplus 2^{i}M}
882:ESSIV is supported as an option by the
3706:
3695:
3662:
3651:
3325:
3314:
3253:
3243:
2944:
2942:
2798:carry-less multiplication instructions
2625:the final ciphertexts are calculated:
987:is a 128-bit number. Encrypting block
3106:M. Liskov, R. Rivest, and D. Wagner.
3003:"New Methods in Hard Disk Encryption"
2424:intermediate ciphertexts are masked:
7:
3727:Journal of Cryptographic Engineering
3596:, 2004. – describes EME-32-AES
3583:Draft Proposal for Key Backup Format
3299:. NIST Special Publication 800-38E.
1628:{\displaystyle {\text{GF}}(2^{128})}
927:is the key for the block cipher and
86:adding citations to reliable sources
3464:Information Security and Cryptology
3001:Fruhwirth, Clemens (18 July 2005).
1927:softraid disk encryption software,
124:The data on the disk should remain
3760:Security in Storage Working Group
3344:"NetBSD cryptographic disk driver"
2952:Deck-Based Wide Block Cipher Modes
2414:{\displaystyle M_{C}=E_{K}(M_{P})}
713:is identical to the encryption of
25:
3568:A Parallelizable Enciphering Mode
3222:. April 18, 2008. pp. 1–40.
3198:Karen McCabe (19 December 2007).
1755:The original XEX has a weakness.
772:that makes the IV unpredictable.
756:ESSIV is a method for generating
3807:Authenticated-encryption schemes
2306:{\textstyle M=M_{P}\oplus M_{C}}
1856:
1748:
1351:security concerns exist with LRW
1319:{\displaystyle F\otimes \delta }
903:Liskov, Rivest, and Wagner (LRW)
369:
58:
3802:Block cipher modes of operation
3681:Niels Fergusson (August 2006).
3292:Morris Dworkin (January 2010).
3136:Rogaway, Phillip (2004-09-24).
3010:Vienna University of Technology
2737:{\displaystyle i=0,\ldots ,k-1}
2523:{\displaystyle i=1,\ldots ,k-1}
2041:{\displaystyle C_{-1}=E_{A}(I)}
1360:and supported as an option for
3167:Selected Areas in Cryptography
2671:
2655:
2408:
2395:
2251:
2222:
2176:
2170:
2147:the plaintexts are xored with
2096:
2058:
2035:
2029:
1622:
1609:
1501:
1489:
1446:
1440:
1256:
1237:
1099:
1087:
856:
850:
822:
814:
798:
788:
499:
467:
1:
3041:9th USENIX Security Symposium
2982:. No. 61. pp. 65–71
3561:A Tweakable Enciphering Mode
3521:10.13154/tosc.v2018.i4.39-61
3228:10.1109/IEEESTD.2008.4493450
3158:Minematsu, Kazuhiko (2007).
2818:Advanced Encryption Standard
1597:is the primitive element of
1575:is the number of the sector,
1027:uses the following formula:
334:message authentication codes
3175:10.1007/978-3-540-74462-7_8
1794:{\displaystyle \alpha ^{j}}
1007:with logical index (tweak)
417:Cipher-block chaining (CBC)
384:flaws in its security proof
3823:
3566:S. Halevi and P. Rogaway,
3559:S. Halevi and P. Rogaway,
3394:"What's new in BitLocker?"
2182:{\displaystyle L=E_{K}(0)}
1375:
420:
3739:10.1007/s13389-016-0147-0
3145:Dept. Of Computer Science
3080:Jakob Lell (2013-12-22).
3033:Encrypting Virtual Memory
1368:disk encryption systems.
890:disk encryption systems.
686:. Thus the encryption of
254:{\displaystyle E_{K}^{T}}
2884:Disk encryption hardware
2879:Disk encryption software
2852:
2845:authenticated encryption
2267:the mask is calculated:
2111:pseudorandom permutation
1141:{\displaystyle \otimes }
967:is a 256-bit number and
361:Block cipher-based modes
346:authenticated encryption
44:disk encryption hardware
40:disk encryption software
3373:VeraCrypt Documentation
3309:10.6028/NIST.SP.800-38E
3108:Tweakable block ciphers
1726:{\displaystyle j\geq 0}
1700:{\displaystyle j\geq 1}
1590:{\displaystyle \alpha }
1339:{\displaystyle \delta }
1161:{\displaystyle \oplus }
3705:Cite journal requires
3661:Cite journal requires
3324:Cite journal requires
3030:Provos, Niels (2000).
2762:
2738:
2694:
2616:
2598:
2524:
2480:
2415:
2359:
2307:
2258:
2183:
2134:
2103:
2042:
1847:
1821:
1795:
1727:
1701:
1675:
1649:
1635:defined by polynomial
1629:
1591:
1569:
1547:
1521:
1400:
1340:
1320:
1294:
1206:
1162:
1142:
1119:
1021:
1001:
981:
961:
941:
921:
866:
758:initialization vectors
734:
707:
680:
608:
581:
546:
545:{\displaystyle C_{-1}}
509:
380:is missing information
295:
275:
255:
219:
199:
3769:"The eSTREAM project"
3276:"Comments on XTS-AES"
2909:Poettering, Lennart.
2763:
2739:
2695:
2617:
2572:
2525:
2481:
2416:
2360:
2308:
2259:
2184:
2135:
2133:{\displaystyle P_{0}}
2104:
2043:
1863:On January 27, 2010,
1848:
1822:
1796:
1728:
1702:
1676:
1650:
1630:
1592:
1570:
1548:
1522:
1406:, is obtained using:
1401:
1372:Xor–encrypt–xor (XEX)
1341:
1321:
1295:
1207:
1168:are performed in the
1163:
1143:
1120:
1022:
1002:
982:
962:
942:
922:
867:
735:
733:{\displaystyle b_{2}}
708:
706:{\displaystyle b_{1}}
681:
609:
607:{\displaystyle b_{2}}
582:
580:{\displaystyle b_{1}}
547:
522:(IV) must be used as
520:initialization vector
510:
428:Cipher-block chaining
423:Cipher-block chaining
352:Narrow and wide block
296:
276:
256:
220:
200:
198:{\displaystyle E_{K}}
170:, usually 512 bytes (
30:is a special case of
3639:Princeton University
3369:"Modes of Operation"
2933:"You Don't Want XTS"
2752:
2704:
2629:
2534:
2490:
2428:
2369:
2317:
2271:
2193:
2151:
2117:
2052:
2000:
1883:XTS is supported by
1831:
1805:
1778:
1711:
1685:
1665:
1639:
1601:
1581:
1559:
1537:
1413:
1390:
1330:
1304:
1216:
1176:
1152:
1132:
1128:Here multiplication
1034:
1011:
991:
971:
951:
931:
911:
779:
717:
690:
618:
591:
564:
526:
441:
285:
281:and any known tweak
265:
233:
209:
182:
82:improve this section
3476:10.1007/11599548_15
3396:. November 12, 2015
3043:. Denver, Colorado.
2857:ciphertext stealing
2830:AES instruction set
2804:Stream cipher modes
2670:
2611:
2549:
2459:
2443:
2354:
2208:
2095:
2073:
1961:authentication tags
1846:{\displaystyle j=1}
1820:{\displaystyle j=0}
1764:Ciphertext stealing
1743:Galois/Counter Mode
1655:; i.e., the number
1356:LRW is employed by
894:Malleability attack
766:watermarking attack
250:
3608:2006-05-18 at the
3540:2018-08-11 at the
3115:2008-12-05 at the
2758:
2734:
2690:
2658:
2612:
2599:
2537:
2520:
2476:
2447:
2431:
2411:
2355:
2342:
2303:
2254:
2196:
2179:
2130:
2099:
2077:
2061:
2038:
1843:
1817:
1791:
1723:
1697:
1671:
1645:
1625:
1587:
1565:
1543:
1517:
1515:
1396:
1336:
1316:
1290:
1202:
1158:
1138:
1115:
1113:
1017:
997:
977:
957:
937:
917:
862:
730:
703:
676:
604:
577:
542:
505:
411:modes of operation
291:
271:
251:
236:
215:
195:
50:Problem definition
3616:J. Alex Halderman
3237:978-0-7381-5363-6
3184:978-3-540-74461-0
2761:{\displaystyle K}
1674:{\displaystyle j}
1648:{\displaystyle x}
1607:
1568:{\displaystyle I}
1553:is the plaintext,
1546:{\displaystyle P}
1399:{\displaystyle C}
1182:
1020:{\displaystyle I}
1000:{\displaystyle P}
980:{\displaystyle F}
960:{\displaystyle K}
940:{\displaystyle F}
920:{\displaystyle K}
848:
838:
834:
830:
820:
795:
407:
406:
294:{\displaystyle T}
274:{\displaystyle K}
225:, the purpose of
218:{\displaystyle K}
118:
117:
110:
16:(Redirected from
3814:
3783:
3781:
3780:
3771:. Archived from
3750:
3724:
3714:
3708:
3703:
3701:
3693:
3687:
3677:
3670:
3664:
3659:
3657:
3649:
3647:
3641:. Archived from
3636:
3628:Edward W. Felten
3547:
3532:
3526:
3525:
3523:
3503:
3497:
3496:
3489:
3480:
3479:
3459:
3453:
3444:
3438:
3437:
3436:
3434:
3429:on 14 April 2016
3428:
3421:
3411:
3405:
3404:
3402:
3401:
3390:
3384:
3383:
3381:
3380:
3365:
3359:
3358:
3356:
3355:
3346:. Archived from
3340:
3334:
3333:
3327:
3322:
3320:
3312:
3298:
3289:
3283:
3282:
3280:
3271:
3262:
3261:
3255:
3251:
3249:
3241:
3214:
3208:
3207:
3195:
3189:
3188:
3164:
3155:
3149:
3148:
3142:
3133:
3120:
3104:
3098:
3092:
3086:
3085:
3077:
3071:
3070:
3068:
3066:
3051:
3045:
3044:
3038:
3027:
3021:
3020:
3018:
3016:
3007:
2998:
2992:
2991:
2989:
2987:
2975:
2966:
2960:
2959:
2957:
2946:
2937:
2936:
2928:
2919:
2918:
2906:
2874:Cold boot attack
2794:AES instructions
2767:
2765:
2764:
2759:
2743:
2741:
2740:
2735:
2699:
2697:
2696:
2691:
2686:
2685:
2666:
2654:
2653:
2641:
2640:
2621:
2619:
2618:
2613:
2607:
2597:
2586:
2562:
2561:
2545:
2529:
2527:
2526:
2521:
2485:
2483:
2482:
2477:
2472:
2471:
2455:
2439:
2420:
2418:
2417:
2412:
2407:
2406:
2394:
2393:
2381:
2380:
2364:
2362:
2361:
2356:
2350:
2329:
2328:
2312:
2310:
2309:
2304:
2302:
2301:
2289:
2288:
2263:
2261:
2260:
2255:
2247:
2246:
2234:
2233:
2221:
2220:
2204:
2188:
2186:
2185:
2180:
2169:
2168:
2139:
2137:
2136:
2131:
2129:
2128:
2108:
2106:
2105:
2100:
2091:
2069:
2047:
2045:
2044:
2039:
2028:
2027:
2015:
2014:
1860:
1852:
1850:
1849:
1844:
1826:
1824:
1823:
1818:
1800:
1798:
1797:
1792:
1790:
1789:
1752:
1732:
1730:
1729:
1724:
1706:
1704:
1703:
1698:
1680:
1678:
1677:
1672:
1654:
1652:
1651:
1646:
1634:
1632:
1631:
1626:
1621:
1620:
1608:
1605:
1596:
1594:
1593:
1588:
1574:
1572:
1571:
1566:
1552:
1550:
1549:
1544:
1526:
1524:
1523:
1518:
1516:
1488:
1487:
1461:
1460:
1439:
1438:
1405:
1403:
1402:
1397:
1345:
1343:
1342:
1337:
1325:
1323:
1322:
1317:
1299:
1297:
1296:
1291:
1277:
1276:
1249:
1248:
1211:
1209:
1208:
1203:
1201:
1197:
1196:
1183:
1180:
1167:
1165:
1164:
1159:
1147:
1145:
1144:
1139:
1124:
1122:
1121:
1116:
1114:
1086:
1085:
1026:
1024:
1023:
1018:
1006:
1004:
1003:
998:
986:
984:
983:
978:
966:
964:
963:
958:
946:
944:
943:
938:
926:
924:
923:
918:
871:
869:
868:
863:
849:
846:
836:
835:
832:
828:
821:
818:
813:
812:
797:
796:
793:
762:block encryption
739:
737:
736:
731:
729:
728:
712:
710:
709:
704:
702:
701:
685:
683:
682:
677:
675:
674:
659:
658:
646:
645:
630:
629:
613:
611:
610:
605:
603:
602:
586:
584:
583:
578:
576:
575:
551:
549:
548:
543:
541:
540:
514:
512:
511:
506:
498:
497:
485:
484:
466:
465:
453:
452:
402:
399:
393:
373:
365:
300:
298:
297:
292:
280:
278:
277:
272:
260:
258:
257:
252:
249:
244:
224:
222:
221:
216:
204:
202:
201:
196:
194:
193:
173:
113:
106:
102:
99:
93:
62:
54:
21:
3822:
3821:
3817:
3816:
3815:
3813:
3812:
3811:
3797:Disk encryption
3787:
3786:
3778:
3776:
3767:
3757:
3722:
3717:
3704:
3694:
3685:
3680:
3671:
3660:
3650:
3645:
3634:
3614:
3610:Wayback Machine
3556:
3554:Further reading
3551:
3550:
3542:Wayback Machine
3533:
3529:
3505:
3504:
3500:
3491:
3490:
3483:
3461:
3460:
3456:
3445:
3441:
3432:
3430:
3426:
3419:
3413:
3412:
3408:
3399:
3397:
3392:
3391:
3387:
3378:
3376:
3367:
3366:
3362:
3353:
3351:
3342:
3341:
3337:
3323:
3313:
3296:
3291:
3290:
3286:
3278:
3273:
3272:
3265:
3252:
3242:
3238:
3216:
3215:
3211:
3197:
3196:
3192:
3185:
3162:
3157:
3156:
3152:
3140:
3135:
3134:
3123:
3117:Wayback Machine
3105:
3101:
3093:
3089:
3079:
3078:
3074:
3064:
3062:
3053:
3052:
3048:
3036:
3029:
3028:
3024:
3014:
3012:
3005:
3000:
2999:
2995:
2985:
2983:
2973:
2968:
2967:
2963:
2955:
2948:
2947:
2940:
2930:
2929:
2922:
2908:
2907:
2903:
2898:
2865:
2841:
2806:
2781:
2750:
2749:
2702:
2701:
2677:
2645:
2632:
2627:
2626:
2553:
2532:
2531:
2488:
2487:
2463:
2426:
2425:
2398:
2385:
2372:
2367:
2366:
2320:
2315:
2314:
2293:
2280:
2269:
2268:
2238:
2225:
2212:
2191:
2190:
2160:
2149:
2148:
2120:
2115:
2114:
2050:
2049:
2019:
2003:
1998:
1997:
1990:
1957:
1829:
1828:
1803:
1802:
1781:
1776:
1775:
1761:
1709:
1708:
1683:
1682:
1663:
1662:
1637:
1636:
1612:
1599:
1598:
1579:
1578:
1557:
1556:
1535:
1534:
1514:
1513:
1479:
1472:
1466:
1465:
1452:
1430:
1423:
1411:
1410:
1388:
1387:
1384:xor–encrypt–xor
1380:
1378:Xor–encrypt–xor
1374:
1328:
1327:
1302:
1301:
1268:
1240:
1214:
1213:
1188:
1184:
1174:
1173:
1150:
1149:
1130:
1129:
1112:
1111:
1077:
1070:
1064:
1063:
1044:
1032:
1031:
1009:
1008:
989:
988:
969:
968:
949:
948:
929:
928:
909:
908:
905:
896:
804:
777:
776:
754:
720:
715:
714:
693:
688:
687:
666:
650:
637:
621:
616:
615:
594:
589:
588:
567:
562:
561:
529:
524:
523:
489:
470:
457:
444:
439:
438:
425:
419:
403:
397:
394:
387:
374:
363:
354:
342:
283:
282:
263:
262:
231:
230:
207:
206:
185:
180:
179:
171:
114:
103:
97:
94:
79:
63:
52:
36:disk encryption
28:Disk encryption
23:
22:
15:
12:
11:
5:
3820:
3818:
3810:
3809:
3804:
3799:
3789:
3788:
3785:
3784:
3765:
3756:
3755:External links
3753:
3752:
3751:
3715:
3707:|journal=
3678:
3663:|journal=
3648:on 2008-05-14.
3630:(2008-02-21).
3624:Nadia Heninger
3620:Seth D. Schoen
3612:
3599:James Hughes,
3597:
3588:
3579:
3573:
3564:
3555:
3552:
3549:
3548:
3527:
3498:
3481:
3454:
3439:
3406:
3385:
3360:
3335:
3326:|journal=
3284:
3263:
3254:|journal=
3236:
3209:
3206:on 2008-03-06.
3190:
3183:
3150:
3121:
3099:
3087:
3072:
3046:
3022:
2993:
2979:Linux Magazine
2961:
2938:
2920:
2900:
2899:
2897:
2894:
2893:
2892:
2886:
2881:
2876:
2871:
2869:Data remanence
2864:
2861:
2840:
2837:
2805:
2802:
2786:security level
2780:
2779:HCTR and HCTR2
2777:
2757:
2746:
2745:
2733:
2730:
2727:
2724:
2721:
2718:
2715:
2712:
2709:
2689:
2684:
2680:
2676:
2673:
2669:
2665:
2661:
2657:
2652:
2648:
2644:
2639:
2635:
2623:
2610:
2606:
2602:
2596:
2593:
2590:
2585:
2582:
2579:
2575:
2571:
2568:
2565:
2560:
2556:
2552:
2548:
2544:
2540:
2519:
2516:
2513:
2510:
2507:
2504:
2501:
2498:
2495:
2475:
2470:
2466:
2462:
2458:
2454:
2450:
2446:
2442:
2438:
2434:
2422:
2410:
2405:
2401:
2397:
2392:
2388:
2384:
2379:
2375:
2353:
2349:
2345:
2341:
2338:
2335:
2332:
2327:
2323:
2300:
2296:
2292:
2287:
2283:
2279:
2276:
2265:
2253:
2250:
2245:
2241:
2237:
2232:
2228:
2224:
2219:
2215:
2211:
2207:
2203:
2199:
2178:
2175:
2172:
2167:
2163:
2159:
2156:
2127:
2123:
2098:
2094:
2090:
2087:
2084:
2080:
2076:
2072:
2068:
2064:
2060:
2057:
2037:
2034:
2031:
2026:
2022:
2018:
2013:
2010:
2006:
1989:
1986:
1956:
1955:XTS weaknesses
1953:
1842:
1839:
1836:
1816:
1813:
1810:
1788:
1784:
1760:
1757:
1735:
1734:
1722:
1719:
1716:
1696:
1693:
1690:
1670:
1660:
1644:
1624:
1619:
1615:
1611:
1586:
1576:
1564:
1554:
1542:
1528:
1527:
1512:
1509:
1506:
1503:
1500:
1497:
1494:
1491:
1486:
1482:
1478:
1475:
1473:
1471:
1468:
1467:
1464:
1459:
1455:
1451:
1448:
1445:
1442:
1437:
1433:
1429:
1426:
1424:
1422:
1419:
1418:
1395:
1376:Main article:
1373:
1370:
1335:
1315:
1312:
1309:
1289:
1286:
1283:
1280:
1275:
1271:
1267:
1264:
1261:
1258:
1255:
1252:
1247:
1243:
1239:
1236:
1233:
1230:
1227:
1224:
1221:
1200:
1195:
1191:
1187:
1157:
1137:
1126:
1125:
1110:
1107:
1104:
1101:
1098:
1095:
1092:
1089:
1084:
1080:
1076:
1073:
1071:
1069:
1066:
1065:
1062:
1059:
1056:
1053:
1050:
1047:
1045:
1043:
1040:
1039:
1016:
996:
976:
956:
936:
916:
904:
901:
895:
892:
873:
872:
861:
858:
855:
852:
844:
841:
827:
824:
816:
811:
807:
803:
800:
790:
787:
784:
753:
750:
727:
723:
700:
696:
673:
669:
665:
662:
657:
653:
649:
644:
640:
636:
633:
628:
624:
601:
597:
574:
570:
539:
536:
532:
516:
515:
504:
501:
496:
492:
488:
483:
480:
477:
473:
469:
464:
460:
456:
451:
447:
421:Main article:
418:
415:
405:
404:
377:
375:
368:
362:
359:
353:
350:
341:
338:
314:chaining modes
306:stream ciphers
290:
270:
248:
243:
239:
214:
192:
188:
161:
160:
157:
154:
143:
142:
135:
132:Data retrieval
129:
116:
115:
66:
64:
57:
51:
48:
24:
14:
13:
10:
9:
6:
4:
3:
2:
3819:
3808:
3805:
3803:
3800:
3798:
3795:
3794:
3792:
3775:on 2012-04-15
3774:
3770:
3766:
3763:
3759:
3758:
3754:
3748:
3744:
3740:
3736:
3732:
3728:
3721:
3716:
3712:
3699:
3691:
3684:
3679:
3675:
3668:
3655:
3644:
3640:
3633:
3629:
3625:
3621:
3617:
3613:
3611:
3607:
3604:
3602:
3598:
3595:
3593:
3589:
3586:
3584:
3580:
3577:
3574:
3571:
3569:
3565:
3562:
3558:
3557:
3553:
3545:
3543:
3539:
3536:
3531:
3528:
3522:
3517:
3513:
3509:
3502:
3499:
3494:
3488:
3486:
3482:
3477:
3473:
3469:
3465:
3458:
3455:
3451:
3450:
3443:
3440:
3425:
3418:
3417:
3410:
3407:
3395:
3389:
3386:
3374:
3370:
3364:
3361:
3350:on 2019-01-08
3349:
3345:
3339:
3336:
3331:
3318:
3310:
3306:
3302:
3295:
3288:
3285:
3277:
3270:
3268:
3264:
3259:
3247:
3239:
3233:
3229:
3225:
3221:
3220:
3213:
3210:
3205:
3201:
3194:
3191:
3186:
3180:
3176:
3172:
3168:
3161:
3154:
3151:
3146:
3139:
3132:
3130:
3128:
3126:
3122:
3118:
3114:
3111:
3109:
3103:
3100:
3096:
3091:
3088:
3083:
3076:
3073:
3061:
3057:
3050:
3047:
3042:
3035:
3034:
3026:
3023:
3011:
3004:
2997:
2994:
2981:
2980:
2972:
2965:
2962:
2954:
2953:
2945:
2943:
2939:
2934:
2927:
2925:
2921:
2916:
2912:
2905:
2902:
2895:
2890:
2887:
2885:
2882:
2880:
2877:
2875:
2872:
2870:
2867:
2866:
2862:
2860:
2858:
2854:
2850:
2846:
2838:
2836:
2833:
2831:
2827:
2823:
2819:
2815:
2811:
2803:
2801:
2799:
2795:
2789:
2787:
2778:
2776:
2774:
2769:
2755:
2731:
2728:
2725:
2722:
2719:
2716:
2713:
2710:
2707:
2687:
2682:
2678:
2674:
2667:
2663:
2659:
2650:
2646:
2642:
2637:
2633:
2624:
2608:
2604:
2600:
2594:
2591:
2588:
2583:
2580:
2577:
2573:
2569:
2566:
2563:
2558:
2554:
2550:
2546:
2542:
2538:
2517:
2514:
2511:
2508:
2505:
2502:
2499:
2496:
2493:
2473:
2468:
2464:
2460:
2456:
2452:
2448:
2444:
2440:
2436:
2432:
2423:
2403:
2399:
2390:
2386:
2382:
2377:
2373:
2351:
2347:
2343:
2339:
2336:
2333:
2330:
2325:
2321:
2298:
2294:
2290:
2285:
2281:
2277:
2274:
2266:
2248:
2243:
2239:
2235:
2230:
2226:
2217:
2213:
2209:
2205:
2201:
2197:
2173:
2165:
2161:
2157:
2154:
2146:
2145:
2144:
2141:
2125:
2121:
2112:
2092:
2088:
2085:
2082:
2078:
2074:
2070:
2066:
2062:
2055:
2032:
2024:
2020:
2016:
2011:
2008:
2004:
1994:
1987:
1985:
1981:
1979:
1975:
1971:
1967:
1962:
1954:
1952:
1950:
1946:
1942:
1938:
1934:
1933:Mac OS X Lion
1930:
1926:
1922:
1918:
1914:
1910:
1906:
1902:
1898:
1894:
1890:
1886:
1881:
1879:
1875:
1871:
1866:
1861:
1859:
1854:
1840:
1837:
1834:
1814:
1811:
1808:
1786:
1782:
1773:
1769:
1765:
1758:
1756:
1753:
1751:
1746:
1744:
1740:
1720:
1717:
1714:
1694:
1691:
1688:
1668:
1661:
1658:
1642:
1617:
1613:
1584:
1577:
1562:
1555:
1540:
1533:
1532:
1531:
1510:
1507:
1504:
1498:
1495:
1492:
1484:
1480:
1476:
1474:
1469:
1462:
1457:
1453:
1449:
1443:
1435:
1431:
1427:
1425:
1420:
1409:
1408:
1407:
1393:
1385:
1379:
1371:
1369:
1367:
1363:
1359:
1354:
1352:
1347:
1333:
1313:
1310:
1307:
1287:
1284:
1281:
1278:
1273:
1269:
1265:
1262:
1259:
1253:
1250:
1245:
1241:
1234:
1231:
1228:
1225:
1222:
1219:
1198:
1193:
1189:
1185:
1171:
1155:
1148:and addition
1135:
1108:
1105:
1102:
1096:
1093:
1090:
1082:
1078:
1074:
1072:
1067:
1060:
1057:
1054:
1051:
1048:
1046:
1041:
1030:
1029:
1028:
1014:
994:
974:
954:
934:
914:
902:
900:
893:
891:
889:
885:
880:
878:
859:
853:
842:
839:
825:
809:
805:
801:
785:
782:
775:
774:
773:
771:
767:
763:
759:
751:
749:
747:
741:
725:
721:
698:
694:
671:
667:
663:
660:
655:
651:
647:
642:
638:
634:
631:
626:
622:
599:
595:
572:
568:
558:
553:
537:
534:
530:
521:
502:
494:
490:
486:
481:
478:
475:
471:
462:
458:
454:
449:
445:
437:
436:
435:
433:
429:
424:
416:
414:
412:
401:
391:
385:
381:
378:This article
376:
372:
367:
366:
360:
358:
351:
349:
347:
339:
337:
335:
329:
327:
323:
319:
315:
311:
307:
302:
288:
268:
246:
241:
237:
228:
212:
190:
186:
177:
169:
164:
158:
155:
152:
151:
150:
148:
140:
136:
133:
130:
127:
123:
122:
121:
112:
109:
101:
91:
87:
83:
77:
76:
72:
67:This section
65:
61:
56:
55:
49:
47:
45:
41:
37:
33:
29:
19:
3777:. Retrieved
3773:the original
3733:(1): 49–69.
3730:
3726:
3698:cite journal
3654:cite journal
3643:the original
3600:
3591:
3582:
3567:
3560:
3530:
3511:
3501:
3467:
3463:
3457:
3448:
3446:P. Rogaway,
3442:
3433:14 September
3431:, retrieved
3424:the original
3415:
3409:
3398:. Retrieved
3388:
3377:. Retrieved
3372:
3363:
3352:. Retrieved
3348:the original
3338:
3317:cite journal
3287:
3218:
3212:
3204:the original
3193:
3166:
3153:
3144:
3107:
3102:
3090:
3075:
3063:. Retrieved
3059:
3054:Milan Broz.
3049:
3032:
3025:
3013:. Retrieved
2996:
2984:. Retrieved
2977:
2964:
2951:
2915:0pointer.net
2914:
2904:
2855:without the
2842:
2834:
2807:
2790:
2782:
2770:
2747:
2142:
1995:
1991:
1982:
1958:
1882:
1862:
1855:
1801:starting at
1762:
1754:
1747:
1739:Galois field
1736:
1656:
1529:
1381:
1355:
1348:
1170:finite field
1127:
906:
897:
881:
877:Linux kernel
874:
755:
742:
556:
554:
517:
427:
426:
410:
408:
395:
379:
355:
343:
330:
310:block cipher
303:
226:
175:
167:
165:
162:
144:
126:confidential
119:
104:
98:January 2024
95:
80:Please help
68:
32:data at rest
27:
26:
3470:: 175–188.
2820:(AES-256),
1913:DiskCryptor
1707:; XTS uses
318:disk sector
229:encryption
3791:Categories
3779:2010-03-28
3400:2015-11-15
3379:2017-10-13
3354:2019-01-07
3060:gitlab.com
2896:References
2889:IEEE P1619
2843:While the
2816:, 256-bit
1941:Windows 10
1878:disk block
1768:IEEE P1619
398:March 2024
3690:Microsoft
3514:: 39–61.
3256:ignored (
3246:cite book
3015:22 August
2986:22 August
2729:−
2720:…
2675:⊕
2592:−
2574:⨁
2570:⊕
2564:⊕
2515:−
2506:…
2461:⊕
2340:⨁
2337:⊕
2291:⊕
2236:⊕
2086:−
2075:⊕
2009:−
1949:wolfCrypt
1945:BitLocker
1937:FileVault
1909:VeraCrypt
1905:TrueCrypt
1885:BestCrypt
1783:α
1718:≥
1692:≥
1585:α
1505:⊕
1496:⊕
1454:α
1450:⊗
1358:BestCrypt
1334:δ
1314:δ
1311:⊗
1288:δ
1285:⊗
1279:⊕
1266:⊗
1254:δ
1251:⊕
1235:⊗
1223:⊗
1156:⊕
1136:⊗
1103:⊕
1094:⊕
1055:⊗
661:⊕
632:⊕
535:−
487:⊕
479:−
390:talk page
227:tweakable
176:tweakable
147:adversary
139:plaintext
69:does not
3606:Archived
3538:Archived
3113:Archived
3065:April 5,
2863:See also
2826:Poly1305
2822:ChaCha12
2810:Adiantum
2668:′
2609:′
2547:′
2457:′
2441:′
2352:′
2313:, where
2206:′
2093:′
2071:′
1901:FreeOTFE
1897:dm-crypt
1895:'s cgd,
1366:FreeOTFE
1362:dm-crypt
1300:, where
888:FreeOTFE
884:dm-crypt
326:CTR mode
322:ECB mode
18:XTS mode
3747:4647765
3590:SISWG,
3587:, 2004.
3581:SISWG,
3572:, 2003.
3375:. IDRIX
2847:scheme
2839:Patents
1929:OpenSSL
1925:OpenBSD
1917:FreeBSD
1530:where:
168:sectors
90:removed
75:sources
3745:
3234:
3181:
2824:, and
1893:NetBSD
1874:sector
837:
829:
3762:SISWG
3743:S2CID
3723:(PDF)
3686:(PDF)
3646:(PDF)
3635:(PDF)
3427:(PDF)
3420:(PDF)
3297:(PDF)
3279:(PDF)
3163:(PDF)
3141:(PDF)
3037:(pdf)
3006:(PDF)
2974:(PDF)
2956:(PDF)
2773:SISWG
1970:Btrfs
1889:Botan
1349:Some
833:where
746:ESSIV
432:xored
3711:help
3674:link
3667:help
3468:3822
3435:2012
3330:help
3258:help
3232:ISBN
3179:ISBN
3067:2015
3017:2024
2988:2024
2849:IAPM
2796:and
2700:for
2530:and
2486:for
2365:and
1978:NTFS
1976:and
1974:ext4
1947:and
1921:geli
1865:NIST
1364:and
886:and
847:hash
770:hash
760:for
587:and
172:4096
73:any
71:cite
42:and
3735:doi
3516:doi
3472:doi
3305:doi
3224:doi
3171:doi
2853:XTS
1968:or
1966:ZFS
1943:'s
1939:2,
1935:'s
1919:'s
1876:or
1870:AES
1772:AES
1618:128
1194:128
84:by
3793::
3741:.
3729:.
3725:.
3702::
3700:}}
3696:{{
3688:.
3658::
3656:}}
3652:{{
3637:.
3622:,
3618:,
3510:.
3484:^
3466:.
3371:.
3321::
3319:}}
3315:{{
3303:.
3266:^
3250::
3248:}}
3244:{{
3230:.
3177:.
3165:.
3143:.
3124:^
3058:.
3039:.
3008:.
2976:.
2941:^
2923:^
2913:.
2814:NH
2800:.
2768:.
1951:.
1931:,
1923:,
1915:,
1911:,
1907:,
1903:,
1899:,
1891:,
1887:,
1853:.
1606:GF
1181:GF
819:SN
794:SN
557:if
336:.
328:.
301:.
141:).
46:.
3782:.
3764:.
3749:.
3737::
3731:8
3713:)
3709:(
3692:.
3676:)
3669:)
3665:(
3578:.
3546:.
3524:.
3518::
3495:.
3478:.
3474::
3403:.
3382:.
3357:.
3332:)
3328:(
3311:.
3307::
3281:.
3260:)
3240:.
3226::
3187:.
3173::
3097:.
3084:.
3069:.
3019:.
2990:.
2935:.
2917:.
2756:K
2744:.
2732:1
2726:k
2723:,
2717:,
2714:0
2711:=
2708:i
2688:L
2683:i
2679:2
2672:)
2664:i
2660:C
2656:(
2651:K
2647:E
2643:=
2638:i
2634:C
2622:;
2605:i
2601:C
2595:1
2589:k
2584:1
2581:=
2578:i
2567:I
2559:C
2555:M
2551:=
2543:0
2539:C
2518:1
2512:k
2509:,
2503:,
2500:1
2497:=
2494:i
2474:M
2469:i
2465:2
2453:i
2449:P
2445:=
2437:i
2433:C
2421:;
2409:)
2404:P
2400:M
2396:(
2391:K
2387:E
2383:=
2378:C
2374:M
2348:i
2344:P
2334:I
2331:=
2326:P
2322:M
2299:C
2295:M
2286:P
2282:M
2278:=
2275:M
2264:;
2252:)
2249:L
2244:i
2240:2
2231:i
2227:P
2223:(
2218:K
2214:E
2210:=
2202:i
2198:P
2177:)
2174:0
2171:(
2166:K
2162:E
2158:=
2155:L
2126:0
2122:P
2097:)
2089:1
2083:k
2079:C
2067:0
2063:C
2059:(
2056:2
2036:)
2033:I
2030:(
2025:A
2021:E
2017:=
2012:1
2005:C
1841:1
1838:=
1835:j
1815:0
1812:=
1809:j
1787:j
1733:.
1721:0
1715:j
1695:1
1689:j
1669:j
1659:,
1657:2
1643:x
1623:)
1614:2
1610:(
1563:I
1541:P
1511:,
1508:X
1502:)
1499:X
1493:P
1490:(
1485:K
1481:E
1477:=
1470:C
1463:,
1458:j
1447:)
1444:I
1441:(
1436:K
1432:E
1428:=
1421:X
1394:C
1308:F
1282:F
1274:0
1270:I
1263:F
1260:=
1257:)
1246:0
1242:I
1238:(
1232:F
1229:=
1226:I
1220:F
1199:)
1190:2
1186:(
1172:(
1109:.
1106:X
1100:)
1097:X
1091:P
1088:(
1083:K
1079:E
1075:=
1068:C
1061:,
1058:I
1052:F
1049:=
1042:X
1015:I
995:P
975:F
955:K
935:F
915:K
860:.
857:)
854:K
851:(
843:=
840:s
826:,
823:)
815:(
810:s
806:E
802:=
799:)
789:(
786:V
783:I
726:2
722:b
699:1
695:b
672:2
668:V
664:I
656:2
652:b
648:=
643:1
639:V
635:I
627:1
623:b
600:2
596:b
573:1
569:b
538:1
531:C
503:.
500:)
495:i
491:P
482:1
476:i
472:C
468:(
463:K
459:E
455:=
450:i
446:C
400:)
396:(
392:.
386:.
289:T
269:K
247:T
242:K
238:E
213:K
191:K
187:E
128:.
111:)
105:(
100:)
96:(
92:.
78:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
