Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Announcement of Proposal to Update NIST SP 800-38E, Using the XTS-AES Mode for Confidentiality on Storage Devices

NIST is proposing to update Special Publication (SP) 800-38E, "Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices." Please submit public comments by March 10, 2023.

In August 2021, NIST's Crypto Publication Review Board announced the review of NIST Special Publication (SP) 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices. In response, NIST received public comments.

NIST proposes to update SP 800-38E to address the editorial suggestions in the public comments. In particular, the updated publication will mention the security vulnerability that results when the two AES (sub)keys are improperly generated to be identical, as discussed in Annex C.I of Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program.

The updated SP 800-38E would be published without a period of public comment.

Submit your comments on this decision proposal by March 10, 2023 to cryptopubreviewboard [at] nist.gov (subject: Comments%20on%20Decision%20Proposal%20of%20SP%20800-106) (cryptopubreviewboard[at]nist[dot]gov) with "Comments on SP 800-38E Decision Proposal" in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Rationale

SP 800-38E approves the XTS-AES technique by reference to its specification in IEEE Std. 1619-2007. The technique continues to serve the need for which it was originally designed and approved: the encryption of storage devices in which it is not feasible to expand the data to incorporate authentication tags. In that setting, XTS-AES continues to provide better security properties than the modes in SP 800-38A.

Therefore, the main question in the review of SP 800-38E was whether to cite the revision of the IEEE standard, IEEE Std. 1619-2018, which included the following technical changes:

  • to limit the length of data units to 220 blocks, and
  • to limit the total number of blocks to 264.

Because SP 800-38E already required the first limit, and because the second limit is very difficult to reach, NIST decided that there would be little practical benefit to revising SP 800-38E to approve the IEEE revision: implementations of XTS-AES as specified in IEEE Std. 1619-2018 already conform to SP 800-38E.

Released February 8, 2023, Updated February 14, 2023