This is useful for disk encryption. We need:
- wide blocks, because we can't store an authentication tag
- tweakable, because we can't store a nonce
But why can't we transform the metadata into a nonce? Maybe that's what tweak is (or can be).
It looks like:
- Microsoft Bitlocker wanted to use Elephant, but uses XTS
- Apple Filevault uses XTS
- Google wants to use Adantium, perhaps for Chromebooks and Android phones?
- 2006 - Niels Ferguson - AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista
There are many stream ciphers, but by their very nature, they allow the attacker to flip arbitrary bits in the plaintext. This lack of diffusion makes them entirely ineffective for poor-man’s authentication.
Any time you want to encrypt data, AES-CBC is a leading candidate. In this case it is not suitable, due to the lack of diffusion in the CBC decryption operation
Bear and Lion are two large-block block ciphers proposed by Ross Andersen and Eli Biham [...] Bear and Lion seem ideally suited, except for the fact that they are too slow. Both ciphers make three passes over the data. If we were to use SHA-256 for the hash function and AES-CTR for the stream cipher, the overall cipher would need close to 100 cycles/byte.
Mercy is a block cipher specifically designed for disk sector encryption [3]. Unfortunately, it was broken in 2001 by Scott Fluhrer
LRW provides some level of poor-man’s authentication, but the relatively small block size of AES (16 bytes) still leaves a lot of freedom for an attacker
CMC and EME are two block cipher modes proposed by Halevi and Rogaway [...] However, they have not been widely studied or deployed, making them a relatively high-risk choice from a security point of view. (An earlier version of CMC was in fact broken.)
For BitLocker we want a block cipher whose block size is much larger. The same type of attack is still possible, but it is made harder by two factors: any particular attack point is far less likely to be on a suitable block boundary, and the attacker is forced to randomize more plaintext, increasing the likelihood that he will damage other parts of the system and crash the PC rather than open a usable hole.
- 2014 - Andrey Jivsov - WCFB: a tweakable wide block cipher
CMC [1], EME2 [2], PEP [3], TET [4], HEH[5], XCB [6], HCTR [7], HCH [8].
EME2 is standardized in the IEEE 1619.2 Section ”Wide-Block Encryption” of the IEEE P1619 standard.
There are modes that do not offer security proofs, such as Elephant+CBC [9], modes that do not offer the benefit of a full block permutation such as XTS [10] (XTS is standardized by the IEEE 1619 standard and by the NIST), and there are uses of standard CBC for wide block encryption, most notably, the CBC is one of the two allowed modes in [11].
The market success of wide encryption modes as of year 2014 is very limited. We are not aware of any existing whole disk product that even offers a wide block encryption mode. One likely explanation for this is that the overhead of the the crypto code is perceived as substantial by end-users, especially with solid-state storage media.
-
2018 - Benoît Cogliati and Jooyoung Lee - Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound
-
2019 - Google Adiantum
According to Microsoft sources, BitLocker does not contain an intentionally built-in backdoor; without a backdoor there is no way for law enforcement to have a guaranteed passage to the data on the user's drives that is provided by Microsoft. In 2006 the UK Home Office expressed concern over the lack of a backdoor and tried entering into talks with Microsoft to get one introduced, although Microsoft developer Niels Ferguson and other Microsoft spokesmen state that they will not grant the wish to have one added. Microsoft engineers have said that FBI agents also put pressure on them in numerous meetings in order to add a backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested to the FBI that agents should look for the hard-copy of the key that the BitLocker program suggests its users to make. Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement. (source)