Cryptography and Communications

, Volume 7, Issue 4, pp 439–468 | Cite as

Another look at XCB

  • Debrup ChakrabortyEmail author
  • Vicente Hernandez-Jimenez
  • Palash Sarkar


XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and a “proof” justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it. For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher. Even for such restricted message spaces, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof. For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved is much worse than what has been claimed by the authors. Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds, both XCBv1 and XCBv2 are worse compared to existing alternative TESs.


Disk encryption IEEE-std 1619.2 2010 Wide block modes Tweakable enciphering schemes XCB 

Mathematics Subject Classifications (2010)

Data Encryption 68P25 Cryptography 94A60 



The authors thanks the reviewers for their careful reading of the paper and providing useful comments. Debrup Chakraborty acknowledges the support from project 166763 funded by Consejo Nacional de Ciencia y Tecnología (CONACyT), Mexico.


  1. 1.
    IEEE Std, 1619. 2-2010: IEEE standard for wide-block encryption for shared storage media. IEEE Computer Society, March 2011
  2. 2.
    Chakraborty, D., Nandi, M.: An improved security bound for HCTR. In: Fast Software Encryption - FSE 2008, volume 5086 of Lecture Notes in Computer Science, pp 441–455. Springer (2008)Google Scholar
  3. 3.
    Chakraborty, D., Sarkar, P.: A new mode of encryption providing a tweakable strong pseudo-random permutation. In: Fast Software Encryption - FSE 2008, volume 4047 of Lecture Notes in Computer Science, pp 293–309. Springer (2006)Google Scholar
  4. 4.
    Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theory 54(4), 1683–1699 (2008)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Halevi, S.: EME : Extending EME to handle arbitrary-length messages with associated data. In: INDOCRYPT, volume 3348 of Lecture Notes in Computer Science, pp 315–327. Springer (2004)Google Scholar
  6. 6.
    Halevi, S.: Invertible universal hashing and the TET encryption mode. In: CRYPTO, volume 4622 of Lecture Notes in Computer Science, pp 412–429. Springer (2007)Google Scholar
  7. 7.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: CRYPTO, volume 2729 of Lecture Notes in Computer Science, pp 482–499. Springer (2003)Google Scholar
  8. 8.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: CT-RSA, volume 2964 of Lecture Notes in Computer Science, pp 292–304. Springer (2004)Google Scholar
  9. 9.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Advances in Cryptology - Crypto 2012, volume 7417 of Lecture Notes in Computer Science, pp 31–49. Springer (2012)Google Scholar
  10. 10.
    Mancillas-López, C., Chakraborty, D., Rodríguez-Henríquez, F.: Reconfigurable hardware implementations of tweakable enciphering schemes. IEEE Trans. Comput. 59(11), 1547–1561 (2010)MathSciNetCrossRefGoogle Scholar
  11. 11.
    McGrew, D. A., Fluhrer, S. R.: The extended codebook (XCB) mode of operation. Cryptology ePrint Archive, Report 2004/278 (2004)Google Scholar
  12. 12.
    McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C., Miri, A., Wiener, M. (eds.) Selected Areas in Cryptography, volume 4876 of Lecture Notes in Computer Science, pp 311–327. Springer Berlin Heidelberg (2007)Google Scholar
  13. 13.
    McGrew, D. A., Viega, J.: Arbitrary block length mode (2004).
  14. 14.
    Motwani, R., Raghavan, P. Randomized algorithms. Cambridge University Press (2007)Google Scholar
  15. 15.
    Sarkar, P.: Improving upon the TET mode of operation. In: ICISC, volume 4817 of Lecture Notes in Computer Science, pp 180–192. Springer (2007)Google Scholar
  16. 16.
    Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans on Inf Theory. 55, 4749–4760 (2009)CrossRefGoogle Scholar
  17. 17.
    Wang, P., Feng, D., Wu, W.: HCTR: A variable-input-length enciphering mode. In: CISC, pp 175–188 (2005)Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Debrup Chakraborty
    • 1
    Email author
  • Vicente Hernandez-Jimenez
    • 1
  • Palash Sarkar
    • 2
  1. 1.Department of Computer ScienceCINVESTAV-IPNMexico CityMexico
  2. 2.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations