[Cryptography] mode of operation for file encryption
Jon Callas
jon at callas.org
Tue Sep 1 18:13:03 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
>
> Any alternative, reference to published stuff or criticism would be highly appreciated.
> I could go for XEX, but I would like to have a good motivation to justify the additional GCM operation.
In my opinion, you should just go with XTS mode, which because you're doing to be doing disk blocks is going to fall out as XEX. It isn't perfect, but nothing is. It's fast, reasonably parallelizaeble, and usually good enough. I don't know what you mean by the GCM operation, myself. You can find plenty of people grumbling about it, but it's in my opinion the best thing overall.
If you're not fond of XTS, then I'd say go with EME. EME is cryptographically the best thing you could do, but it requires two encryptions. Modern AES-NI hardware makes this not horrible. You can still probably keep up with even a fast SSD with any reasonable AES-NI CPU. We were going to use EME at PGP Corp for our WDE, but that fell off the shelf for lots of reasons (including the advent of SSDs and thus speed).
EME is patented; at PGP we paid a license fee, but a few years later the state of California just opened up the patent.
The notes on Wikipedia:
https://en.wikipedia.org/wiki/Disk_encryption_theory
are pretty good. They're not up to date on the EME patent status.
There's another option that I will mention. That is to use a real, honest-to-god tweak able, wide-block cipher. My favorite is Threefish. If you use Threefish-512, you get 64 bytes per encryption, and (duh) 128 bytes with Threefish-1024. Threefish runs in software at over twice the speed of AES in software, but all in all, AES-NI hardware makes it really attractive to well, just use AES-XTS.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii
wsBVAwUBVeYi8PD9H+HfsTZWAQi7YAf/bgGnzqi9nom5NoN+tzpbPcpC2t7MI+gE
Ct37BwUhdvGPjD/ykXbFlffkWiS/YEQmJ/C0gr1DHFw2b1Fc56J3imcLQUJYCCsp
E9SvHqOsOyCuFAukXSyzk/7b11x2webrJWM1LZjl6yKMzg5zyrzpMQqMiU7TmhVd
maDmTmua+arZkBcfkv10JTWeKns2lq12ZTGsNCShU6uKqI5+r56aATU4NMObYn5J
pNA1oG+A2xKoQ4KyhedlYHH/Tal450fDvz3B1QZZq8EFU8eyU61b1EWOalui/gcA
ds2J3K6UJafLL7Pcz4l11LMwvxsJm8G7BuEMVS9WH1LpQ454f246iw==
=+eGZ
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list