Call for Algorithm for Disk Sector Level Encryption Standard

Jim Hughes jim at
Sun May 19 23:23:50 EDT 2002

Call for Algorithm for Disk Sector Level Encryption Standard
(For more information go to 

IEEE-SSSC Storage System Standards Committee (
Security In Storage Working Group (

The Security in Storage working group is looking for algorithms and
modes for addressing Encrypted Storage. The initial focus is the ability
to encrypt disk devices at the sector level (not at the file level). The
goal of creating a standard for to allow multiple compatible vendor
independent implementations.

This requirements provides five significant constraints,

1) Confidentiality the obvious requirement. AES is expected to provide
this capability.

2) The disk is read and written in sectors (or multiples of sectors).
Sectors are normally 512 bytes. There is no room for any expansion or
any additional integrity information.

3) The sectors are written and read at random. That is, each sector (or
group of sectors) are stand alone and may be updated independently. This
implies that chaining between sectors is not possible and that the
sector number can be a factor of an implicit Initialization Vector.

4) Non-malleability of the data is a requirement. That is, the
ciphertext can not be manipulated in any way to provide any
understandable plaintext changes anywhere in the sector, possibly even
in the face of a decryption oracle. It is desirable that any ciphertext
manipulations "randomize" the entire sector (or group of sectors).

5) Dictionary attacks must be minimized. Since information on disks for
the management of the file system is regular (partition map, boot
sector, i-nodes, free space, etc.) the ability to guess plaintext is
possible. It is expected that items 1-4 will provide a dictionary attack
only at the individual sector level. That is, a dictionary attack can be
applied to sector 123, but this dictionary is of no valuable at any
other location on the disk.

The "Loop Driver" by Ted Tso, Werner Almsberger and Jari Ruusu meets
items 1-3. One can update this driver to use double AES in PCBC (chain
left, chain right) to be able to meet 1-5 requirements. (See Menezes
Handbook of Applied Cryptography for a definition of single PCBC mode.)
Even with this it is an open issue as to the security of double PCBC
mode. It is an open issue if there are other modes that can accomplish
this with less overhead than double encryption.

Since storage is a very performance and latency sensitive media, there
is a desire that the algorithm to be parallelizable and pipelinable so
that hardware implementations minimize the performance impact of this

The first meeting of the SISWG will occur June 20, 2002, 9am to 4pm at
the Hotel Thayer, 674 Thayer Rd., West Point, NY (845) 446-4731.

The agenda will include a description of the requirements, relevant
attacks and presentations from attendees proposing algorithms and modes.

There is a meeting fee of $90 which will include lunch and refreshments.
Advanced registration is preferred. If you wish to have time on
the agenda, please contact Jim Hughes jim at 

For more information contact Jim Hughes jim at 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list