top | item 7676503

(no title)

midas007 | 12 years ago

TL;DR For random-seek block encryption, don't use XTS, use CTR.

It's simple. I like simple maths and code, it's less to screw up and less for implementations to screw up. For example, I don't trust EC or GCM, even if some people thinks they're the new hotness, because complexity creates more opportunities for obfuscation and puts the code further out of reach of the already few eyeballs actually (or not) looking at it.

Maybe 'cpervica explain why

discuss

tptacek|12 years ago

What? No. Don't do that.

ronaldx|12 years ago

This is why you should never tell people what not to do, without also telling them what they should be doing ;)

midas007|12 years ago

? What's wrong with CTR? CTR is basically an OTP. Being OTP, encryption and decryption are basically the same construction (thank you XOR).

    cipherblockdata = blockcipher(key, nonce . block #) ^ plainblockdata
    plainblockdata = blockcipher(key, nonce . block #) ^ cipherblockdata

If MAC is needed, that can happen after encrypting, before decrypting. (Needed if bytes traverse network, but maybe not for local disk or file encryption unless.)

Edit fixed my maths: