In August 2021, NIST's Crypto Publication Review Board announced the review of NIST Special Publication (SP) 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices. In response, NIST received public comments.
NIST proposes to update SP 800-38E to address the editorial suggestions in the public comments. In particular, the updated publication will mention the security vulnerability that results when the two AES (sub)keys are improperly generated to be identical, as discussed in Annex C.I of Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program.
The updated SP 800-38E would be published without a period of public comment.
Submit your comments on this decision proposal by March 10, 2023 to cryptopubreviewboard [at] nist.gov (subject: Comments%20on%20Decision%20Proposal%20of%20SP%20800-106) (cryptopubreviewboard[at]nist[dot]gov) with "Comments on SP 800-38E Decision Proposal" in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
SP 800-38E approves the XTS-AES technique by reference to its specification in IEEE Std. 1619-2007. The technique continues to serve the need for which it was originally designed and approved: the encryption of storage devices in which it is not feasible to expand the data to incorporate authentication tags. In that setting, XTS-AES continues to provide better security properties than the modes in SP 800-38A.
Therefore, the main question in the review of SP 800-38E was whether to cite the revision of the IEEE standard, IEEE Std. 1619-2018, which included the following technical changes:
Because SP 800-38E already required the first limit, and because the second limit is very difficult to reach, NIST decided that there would be little practical benefit to revising SP 800-38E to approve the IEEE revision: implementations of XTS-AES as specified in IEEE Std. 1619-2018 already conform to SP 800-38E.