Full Disk Encryption: Bridging Theory and Practice

  • Louiza Khati
  • Nicky MouhaEmail author
  • Damien Vergnaud
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10159)


We revisit the problem of Full Disk Encryption (FDE), which refers to the encryption of each sector of a disk volume. In the context of FDE, it is assumed that there is no space to store additional data, such as an IV (Initialization Vector) or a MAC (Message Authentication Code) value. We formally define the security notions in this model against chosen-plaintext and chosen-ciphertext attacks. Then, we classify various FDE modes of operation according to their security in this setting, in the presence of various restrictions on the queries of the adversary. We will find that our approach leads to new insights for both theory and practice. Moreover, we introduce the notion of a diversifier, which does not require additional storage, but allows the plaintext of a particular sector to be encrypted to different ciphertexts. We show how a 2-bit diversifier can be implemented in the EagleTree simulator for solid state drives (SSDs), while decreasing the total number of Input/Output Operations Per Second (IOPS) by only 4%.


Disk encryption theory Full Disk Encryption FDE XTS IEEE P1619 Unique first block Diversifier Provable security 



Nicky Mouha is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen), by a JuMo grant from KU Leuven (JuMo/14/48CF), and by FWO travel grant 12F9714N. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose. Damien Vergnaud is supported in part by the French ANR JCJC ROMAnTIC project (ANR-12-JS02-0004).

We thank Matias Bjørling, Luc Bouganim, Niv Dayan and Javier Gonzalez for their useful comments and suggestions on SSD technology.


  1. 1.
    Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptology 25(4), 640–679 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. In: Menezes, A. (ed.) Advances in Cryptology - CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74143-5_30 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394–403. IEEE Computer Society Press (1997)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_24 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Introduction to Modern Cryptography. In: UCSD CSE 207 Course Notes, 207 pages (2005).
  6. 6.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Berlin (2006). doi: 10.1007/11761679_25 CrossRefGoogle Scholar
  7. 7.
    Campbell, C.M.: Design and specification of cryptographic capabilities. IEEE Commun. Soc. Mag. 16(6), 15–19 (1978)CrossRefGoogle Scholar
  8. 8.
    Dayan, N., Svendsen, M.K., Bjørling, M., Bonnet, P., Bouganim, L.: EagleTree: exploring the design space of SSD-based algorithms. PVLDB 6(12), 1290–1293 (2013)Google Scholar
  9. 9.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. NIST SP 800–38E (2010)Google Scholar
  10. 10.
    Ferguson, N.: AES-CBC + Elephant diffuser: A Disk Encryption Algorithm for Windows Vista (2006).
  11. 11.
    Fruhwirth, C.: New methods in hard disk encryption. Master’s thesis, Vienna University of Technology (2005)Google Scholar
  12. 12.
    Gjøsteen, K.: Security notions for disk encryption. In: Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 455–474. Springer, Heidelberg (2005). doi: 10.1007/11555827_26 CrossRefGoogle Scholar
  13. 13.
    Götzfried, J., Müller, T.: Analysing android’s full disk encryption feature. JoWUA 5(1), 84–100 (2014)Google Scholar
  14. 14.
    Halcrow, M., Savagaonkar, U., Ts’o, T., Muslukhov, I.: EXT4 Encryption Design Document (public version). Google Technical report (2015)Google Scholar
  15. 15.
    Halevi, S.: Re: Lrw key derivation (formerly pink-herring). IEEE P1619 Mailing List, May 2006Google Scholar
  16. 16.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24660-2_23 CrossRefGoogle Scholar
  17. 17.
    IEEE: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std 1619–2007, pp. 1–32 (2008)Google Scholar
  18. 18.
    Joux, A., Martinet, G., Valette, F.: Blockwise-adaptive attackers revisiting the (in)security of some provably secure encryption modes: CBC, GEM, IACBC. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 17–30. Springer, Berlin (2002). doi: 10.1007/3-540-45708-9_2 CrossRefGoogle Scholar
  19. 19.
  20. 20.
    Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001). doi: 10.1007/3-540-44987-6_32 CrossRefGoogle Scholar
  21. 21.
    Khati, L., Mouha, N., Vergnaud, D.: Full Disk Encryption: Bridging Theory and Practice. Cryptology ePrint Archive, Report 2016/1114, full version of this paper (2016)Google Scholar
  22. 22.
    Müller, T., Freiling, F.C.: A systematic assessment of the security of full disk encryption. IEEE Trans. Dependable Sec. Comput. 12(5), 491–503 (2015)CrossRefGoogle Scholar
  23. 23.
    Nandi, M.: Two new efficient CCA-secure online ciphers: MHCBC and MCBC. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 350–362. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89754-5_27 CrossRefGoogle Scholar
  24. 24.
    Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-25937-4_22 CrossRefGoogle Scholar
  25. 25.
    Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation. Technical report, CRYPTREC Investigation Report (2011)Google Scholar
  26. 26.
    Rogaway, P., Zhang, H.: Online ciphers from tweakable blockciphers. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 237–249. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19074-2_16 CrossRefGoogle Scholar
  27. 27.
    Saarinen, M.-J.O.: Encrypted watermarks and linux laptop security. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 27–38. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-31815-6_3 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.École Normale Supérieure - CNRS - InriaParisFrance
  2. 2.OppidaMontigny-le-BretonneuxFrance
  3. 3.Department of Electrical Engineering-ESAT/COSICKU Leuven, Leuven and iMindsGhentBelgium
  4. 4.Project-team SECRET, InriaParisFrance
  5. 5.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations