Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp6527609ybh;
        Thu, 8 Aug 2019 01:31:40 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzsj9FHoSuqJz4UXT6LWpzfnovp6vCCyUcJHv/VUOIlcn8KscAObCkkQSao8TOjgRoJfKIH
X-Received: by 2002:aa7:90c9:: with SMTP id k9mr13737049pfk.171.1565253100549;
        Thu, 08 Aug 2019 01:31:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1565253100; cv=none;
        d=google.com; s=arc-20160816;
        b=ISZNyl9JT82W0pGYInKW0PNQsYyV+eAAvAvO/3qC7EorC6ppBWDJc6tduYFOiNmBzY
         4XgepocweMnsA5EKNIsJHyY87IGmF2PrXPKsOc8r3KmaZM1zxSzc47Uct1QKYrLV7iKm
         DrUxyac3Tnp+cc490zpCGyLl704LmU4nFz1KUjfdcr/iRje04xB4rhMDQrH8/kiaUZYV
         /1ckBqnjiZaJvo4nbV+NvdFAhZcRj7SEgtWDbV8OHtTgayAYweSik8Oi+Qa88JZ/m6L9
         +SAdCZ1L+wyah4KArp0D+JyKR1qNuHAPnWrbFysIXErrHXTv5/0jHGetjlg8Av1pBnVT
         p8FA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature;
        bh=LsUqdRlE3jGxLzISDOTNd9EH/ANKJfDyEHDvUy0ZeD8=;
        b=HUCfTz28+q7OiBuKogDmak/PbNPIyCpyRyPrKOqTYWrl25d9aRe3a3zXoOsN6ZrWuN
         QatPr1Q6ZfdZQBMXHyahVgZi3ihLTqOl2wOo9NNc0/vp1YJEgqv6PXabuZSlxGmq6vBD
         9eM7NR6yTAYPJwwK/gxjMrSKF8vRhn2xwI58txYs4064rn/SNrzZrBpvP5ye/54rVbRL
         9jNOSHmfooa0MXQRi6JFNkESxrEHtMB+8d5MB6w1r6c9a9ZeYYXo4RhFdKFl+mItlRhs
         COyUCfpg2d80DZ+cU/lfEOdYNoa4fJAqtIYKDkXWTm1SUgVzMtwrcxkFzoYr/hTroZXU
         bJHA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=N3ULtNqv;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a89si51033884pla.60.2019.08.08.01.31.22;
        Thu, 08 Aug 2019 01:31:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=N3ULtNqv;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731719AbfHHIbC (ORCPT <rfc822;cvimail81@gmail.com> + 99 others);
        Thu, 8 Aug 2019 04:31:02 -0400
Received: from mail.kernel.org ([198.145.29.99]:48096 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731592AbfHHIbC (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 8 Aug 2019 04:31:02 -0400
Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id EA236214C6;
        Thu,  8 Aug 2019 08:31:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1565253061;
        bh=5ESMyMBNu6p05v5ED3QRTCllbzhyiTHzmWVYmG71cxM=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=N3ULtNqvBu60Tv9ro9tXW0UY6SDj9hj3GqVfecTVKX4UP8lRD66ng8u147qkARZDb
         rJzuWmSYrzVvFv9VV4gBSGDhzwHkU++GMZgW1WvboalMp6d3cpHnMOxyLj7D8oBCvd
         WJWei+akZWXQhxbXg7B1tjqKzYD31j/gRugPhv5M=
Date:   Thu, 8 Aug 2019 01:30:59 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc:     Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
        "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
        "agk@redhat.com" <agk@redhat.com>,
        "snitzer@redhat.com" <snitzer@redhat.com>,
        "dm-devel@redhat.com" <dm-devel@redhat.com>,
        "gmazyland@gmail.com" <gmazyland@gmail.com>
Subject: Re: [RFC PATCH v2] md/dm-crypt - reuse eboiv skcipher for IV
 generation
Message-ID: <20190808083059.GB5319@sol.localdomain>
Mail-Followup-To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
        "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
        "agk@redhat.com" <agk@redhat.com>,
        "snitzer@redhat.com" <snitzer@redhat.com>,
        "dm-devel@redhat.com" <dm-devel@redhat.com>,
        "gmazyland@gmail.com" <gmazyland@gmail.com>
References: <20190807055022.15551-1-ard.biesheuvel@linaro.org>
 <MN2PR20MB297336108DF89337DDEEE2F6CAD40@MN2PR20MB2973.namprd20.prod.outlook.com>
 <CAKv+Gu_jFW26boEhpnAZg9sjWWZf60FXSWuSqNvC5FJiL7EVSA@mail.gmail.com>
 <MN2PR20MB2973A02FC4D6F1D11BA80792CAD40@MN2PR20MB2973.namprd20.prod.outlook.com>
 <CAKv+Gu8fgg=gt4LSnCfShnf0-PZ=B1TNwM3zdQr+V6hkozgDOA@mail.gmail.com>
 <MN2PR20MB29733EEF59CCD754256D5621CAD40@MN2PR20MB2973.namprd20.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MN2PR20MB29733EEF59CCD754256D5621CAD40@MN2PR20MB2973.namprd20.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Wed, Aug 07, 2019 at 04:14:22PM +0000, Pascal Van Leeuwen wrote:
> > > > In your case, we are not dealing with known plaintext attacks,
> > > >
> > > Since this is XTS, which is used for disk encryption, I would argue
> > > we do! For the tweak encryption, the sector number is known plaintext,
> > > same as for EBOIV. Also, you may be able to control data being written
> > > to the disk encrypted, either directly or indirectly.
> > > OK, part of the data into the CTS encryption will be previous ciphertext,
> > > but that may be just 1 byte with the rest being the known plaintext.
> > >
> > 
> > The tweak encryption uses a dedicated key, so leaking it does not have
> > the same impact as it does in the EBOIV case. 
> >
> Well ... yes and no. The spec defines them as seperately controllable -
> deviating from the original XEX definition - but in most practicle use cases 
> I've seen, the same key is used for both, as having 2 keys just increases 
> key  storage requirements and does not actually improve effective security 
> (of the algorithm itself, implementation peculiarities like this one aside 
> :-), as  XEX has been proven secure using a single key. And the security 
> proof for XTS actually builds on that while using 2 keys deviates from it.
> 

This is a common misconception.  Actually, XTS needs 2 distinct keys to be a
CCA-secure tweakable block cipher, due to another subtle difference from XEX:
XEX (by which I really mean "XEX[E,2]") builds the sequence of masks starting
with x^1, while XTS starts with x^0.  If only 1 key is used, the inclusion of
the 0th power in XTS allows the attack described in Section 6 of the XEX paper
(https://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf).

Of course, it's debatable what this means *in practice* to the usual XTS use
cases like disk encryption, for which CCA security may not be critical...  But
technically, single-key XTS isn't secure under as strong an attack model as XEX.

- Eric