Re: XTS cipher mode for cluster file encryption

Hi,

On 2021-10-15 15:22:48 -0400, Stephen Frost wrote:
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Finally, there is an interesting web page about when not to use XTS:
> >
> > https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/
>
> This particular article always struck me as more of a reason for us, at
> least, to use XTS than to not- in particular the very first comment it
> makes, which seems to be pretty well supported, is: "XTS is the de-facto
> standard disk encryption mode."

I don't find that line of argument *that* convincing. The reason XTS is the
de-facto standard is that for generic block layer encryption is that you can't
add additional data for each block without very significant overhead
(basically needing journaling to ensure that the data doesn't get out of
sync). But we don't really face the same situation - we *can* add additional
data.

With something like AES-GCM-SIV we can use the additional data to get IV reuse
resistance *and* authentication. And while perhaps we are ok with the IV reuse
guarantees XTS has, it seems pretty clear that we'll want want guaranteed
authenticity at some point. And then we'll need extra data anyway.

Thus, to me, it doesn't seem worth going down the XTS route, just to
temporarily save a bit of implementation effort. We'll have to endure that
pain anyway.

Greetings,

Andres Freund