Xor–encrypt–xor
{{Short description|Block cypher operating mode}}
The xor–encrypt–xor (XEX) is a (tweakable) mode of operation of a block cipher. In tweaked-codebook mode with ciphertext stealing (XTS mode), it is one of the more popular modes of operation for whole-disk encryption. XEX is also a common form of key whitening, and part of some smart card proposals.Barış Ege, Elif Bilge Kavun, and Tolga Yalçın. [http://emsec.rub.de/media/crypto/veroeffentlichungen/2012/01/16/mem_enc.pdf "Memory Encryption for Smart Cards"] {{Webarchive|url=https://web.archive.org/web/20181103063122/http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2012/01/16/mem_enc.pdf |date=2018-11-03 }}. 2011.Emmanuel Prouff. [https://books.google.com/books?id=G2TlxEGwnzUC "Smart Card Research and Advanced Applications"]. 2011, p. 201.
History
In 1984, to protect DES against exhaustive search attacks, Ron Rivest proposed DESX: XOR a pre-whitening key to the plaintext, encrypt the result with DES using a secret key, and then XOR a postwhitening key to the encrypted result to produce the final ciphertext.Orr Dunkelman, Nathan Keller, and Adi Shamir. [http://eprint.iacr.org/2011/541.pdf "Minimalism in Cryptography: The Even–Mansour Scheme Revisited"].
In 1991, motivated by Rivest's DESX construction, Even and Mansour proposed a much simpler scheme (the "two-key Even–Mansour scheme"), which they suggested was perhaps the simplest possible block cipher: XOR the plaintext with a prewhitening key, apply a publicly known unkeyed permutation (in practice, a pseudorandom permutation) to the result, and then XOR a postwhitening key to the permuted result to produce the final ciphertext.Joan Daemen, Laboratorium Esat. "Limitations of the Even–Mansour Construction". 1992. {{doi| 10.1007/3-540-57332-1_46}}
Studying simple Even–Mansour style block ciphers gives insight into the security of Feistel ciphers (DES-like ciphers) and helps understand block cipher design in general.Craig Gentry and Zulfikar Ramzan. [https://www.iacr.org/cryptodb/archive/2004/ASIACRYPT/218/218.pdf "Eliminating Random Permutation Oracles in the Even–Mansour Cipher"]. 2004.
Orr Dunkelman, Nathan Keller, and Adi Shamir later proved it was possible to simplify the Even–Mansour scheme even further and still retain the same provable security, producing the "single-key Even–Mansour scheme": XOR the plaintext with the key, apply a publicly known unkeyed permutation to the result, and then XOR the same key to the permuted result to produce the final ciphertext.
Orr Dunkelman; Nathan Keller; and Adi Shamir.
[https://www.iacr.org/conferences/eurocrypt2012/program.html "Eurocrypt 2012: Minimalism in Cryptography: The Even-Mansour Scheme Revisited"].
In 2004, Rogaway presented the XEX scheme with key and location-dependent "tweaks":
File:Xor Encrypt Xor (XEX) mode encryption.svg
Rogaway used XEX to allow efficient processing of consecutive blocks (with respect to the cipher used) within one data unit (e.g., a disk sector) for whole-disk encryption.
{{cite web |last=Rogaway |first=Phillip |date=2004-09-24 |url=http://www.cs.ucdavis.edu/~rogaway/papers/offsets.pdf |title=Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC}}
Many whole-disk encryption systems – BestCrypt, dm-crypt, FreeOTFE, TrueCrypt, DiskCryptor, FreeBSD's geli, OpenBSD softraid disk encryption software, and Mac OS X Lion's FileVault 2 – support XEX-based tweaked-codebook mode with ciphertext stealing (XTS mode).
{{cryptography navbox|block}}
References
{{reflist}}
{{DEFAULTSORT:Xor-encrypt-xor}}
Category:Block cipher modes of operation
{{crypto-stub}}