XTS mode revisited: high hopes for key scopes?
Milan Brož, Vladimír Sedláček
TL;DR
XTS-AES remains a cornerstone of disk-sector encryption, but IEEE1619-2025's key-scope and related changes raise questions about security guarantees and ecosystem-wide compliance. The paper standardizes terminology, formalizes the XTS construction and its security-limiting factors—namely key scopes, maximal sector size, and the need for distinct K and $K_T$—and analyzes threat models from stolen devices to active ciphertext manipulation. It argues for a careful public discussion on whether to retain XTS with revised limits or adopt wide-encryption modes, outlining candidate alternatives such as EME2, Adiantum, HCTR2, and the double-decker framework. The work emphasizes practical implications for vendors and open-source projects, advocating transparent analysis and well-defined mappings of XTS keys to sectors to guide future standards and implementations.
Abstract
This paper concisely summarizes the XTS block encryption mode for storage sector-based encryption applications and clarifies its limitations. In particular, we aim to provide a unified basis for constructive discussions about the newly introduced key scope change to the IEEE 1619 standard. We also reflect on wide modes that could replace XTS in the future.