Skip to main content
SpringerLink
Log in

Another look at XCB

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

XCB is a tweakable enciphering scheme (TES) which was first proposed in 2004. The scheme was modified in 2007. We call these two versions of XCB as XCBv1 and XCBv2 respectively. XCBv2 was later proposed as a standard for encryption of sector oriented storage media in IEEE-std 1619.2 2010. There is no known proof of security for XCBv1 but the authors provided a concrete security bound for XCBv2 and a “proof” justifying the bound. In this paper we show that XCBv2 is not secure as a TES by showing an easy distinguishing attack on it. For XCBv2 to be secure, the message space should contain only messages whose lengths are multiples of the block length of the block cipher. Even for such restricted message spaces, the bound that the authors claim is not justified. We show this by pointing out some errors in the proof. For XCBv2 on full block messages, we provide a new security analysis. The resulting bound that can be proved is much worse than what has been claimed by the authors. Further, we provide the first concrete security bound for XCBv1, which holds for all message lengths. In terms of known security bounds, both XCBv1 and XCBv2 are worse compared to existing alternative TESs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. While arguing about efficiency of XCB the authors stress on a software implementation of the multiplier which uses pre-computed tables, and in such a software implementation only XCB may have its efficiency comparable with constructions which only uses block ciphers. It is known that in hardware XCB performs worse than all known efficient TES [10].

  2. In [12], the authors use a non-standard terminology. They do not distinguish between a pseudorandom permutation (PRP) and a strong pseudorandom permutation (SPRP). According to their definitions a PRP is what is generally understood as a SPRP.

References

  1. IEEE Std, 1619. 2-2010: IEEE standard for wide-block encryption for shared storage media. IEEE Computer Society, March 2011 http://standards.ieee.org/findstds/standard/1619.2-2010.html

  2. Chakraborty, D., Nandi, M.: An improved security bound for HCTR. In: Fast Software Encryption - FSE 2008, volume 5086 of Lecture Notes in Computer Science, pp 441–455. Springer (2008)

  3. Chakraborty, D., Sarkar, P.: A new mode of encryption providing a tweakable strong pseudo-random permutation. In: Fast Software Encryption - FSE 2008, volume 4047 of Lecture Notes in Computer Science, pp 293–309. Springer (2006)

  4. Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-counter-hash approach. IEEE Trans. Inf. Theory 54(4), 1683–1699 (2008)

    Article  MathSciNet  Google Scholar 

  5. Halevi, S.: EME : Extending EME to handle arbitrary-length messages with associated data. In: INDOCRYPT, volume 3348 of Lecture Notes in Computer Science, pp 315–327. Springer (2004)

  6. Halevi, S.: Invertible universal hashing and the TET encryption mode. In: CRYPTO, volume 4622 of Lecture Notes in Computer Science, pp 412–429. Springer (2007)

  7. Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: CRYPTO, volume 2729 of Lecture Notes in Computer Science, pp 482–499. Springer (2003)

  8. Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: CT-RSA, volume 2964 of Lecture Notes in Computer Science, pp 292–304. Springer (2004)

  9. Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Advances in Cryptology - Crypto 2012, volume 7417 of Lecture Notes in Computer Science, pp 31–49. Springer (2012)

  10. Mancillas-López, C., Chakraborty, D., Rodríguez-Henríquez, F.: Reconfigurable hardware implementations of tweakable enciphering schemes. IEEE Trans. Comput. 59(11), 1547–1561 (2010)

    Article  MathSciNet  Google Scholar 

  11. McGrew, D. A., Fluhrer, S. R.: The extended codebook (XCB) mode of operation. Cryptology ePrint Archive, Report 2004/278 (2004)

  12. McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C., Miri, A., Wiener, M. (eds.) Selected Areas in Cryptography, volume 4876 of Lecture Notes in Computer Science, pp 311–327. Springer Berlin Heidelberg (2007)

  13. McGrew, D. A., Viega, J.: Arbitrary block length mode (2004). http://grouper.ieee.org/groups/1619/email/pdf00005.pdf

  14. Motwani, R., Raghavan, P. Randomized algorithms. Cambridge University Press (2007)

  15. Sarkar, P.: Improving upon the TET mode of operation. In: ICISC, volume 4817 of Lecture Notes in Computer Science, pp 180–192. Springer (2007)

  16. Sarkar, P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans on Inf Theory. 55, 4749–4760 (2009)

    Article  Google Scholar 

  17. Wang, P., Feng, D., Wu, W.: HCTR: A variable-input-length enciphering mode. In: CISC, pp 175–188 (2005)

Download references

Acknowledgments

The authors thanks the reviewers for their careful reading of the paper and providing useful comments. Debrup Chakraborty acknowledges the support from project 166763 funded by Consejo Nacional de Ciencia y Tecnología (CONACyT), Mexico.

Author information

Authors and Affiliations

  1. Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508 San Pedro Zacatenco, Mexico City, 07360, Mexico

    Debrup Chakraborty & Vicente Hernandez-Jimenez

  2. Applied Statistics Unit, Indian Statistical Institute, 203 B.T. Road, Kolkata, 700108, India

    Palash Sarkar

Authors
  1. Debrup Chakraborty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vicente Hernandez-Jimenez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Palash Sarkar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Debrup Chakraborty.

Appendix A: XCB in IEEE 1619.2

Appendix A: XCB in IEEE 1619.2

Here we describe XCB verbatim as described in IEEE-std 1619.2, 2010.

  1. 1.

    H ← AES-Enc(K, 0128)

  2. 2.

    K e ← msb k (AES-Enc(K, 0125|0012)|AES-Enc(K, 0125|0102))

  3. 3.

    K d ← msb k (AES-Enc(K, 0125|0112)|AES-Enc(K, 0125|1002))

  4. 4.

    K c ← msb k (AES-Enc(K, 0125|1012)|AES-Enc(K, 0125|1102))

  5. 5.

    AP[m − 128 : m − 1]

  6. 6.

    BP[0 : m − 127]

  7. 7.

    C ← AES-Enc(K e , A)

  8. 8.

    DCh 1(H, Z, B)

  9. 9.

    EBc(K c , D, # B)

  10. 10.

    FDh 2(H, Z, E)

  11. 11.

    G ← AES-Dec(K d , F)

  12. 12.

    C TE|G

In the above description A|B denotes the concatenation of the strings A and B, and # B is the length of B in bits. Here the length of the plaintext P is m bits. Note that the length of B is m − 126 bits and this is also the length of E. The length of G is 128 bits and so the length of CT is m − 126+128=m+2 bits. So, applying the encryption function increases the length by 2 bits.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chakraborty, D., Hernandez-Jimenez, V. & Sarkar, P. Another look at XCB. Cryptogr. Commun. 7, 439–468 (2015). https://doi.org/10.1007/s12095-015-0127-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-015-0127-8

Keywords

Mathematics Subject Classifications (2010)

Search

Navigation