How many blocks can securely be encrypted with XTS

Question

I could not find in the NIST recommendations on XTS how many blocks can securely be encrypted with XTS-AES.

Through the recommendations, I've found:

The length of the data unit for any instance of an implementation of XTS-AES shall not exceed $2^{20}$ AES blocks.

The specification cited in NIST The XTS-AES Tweakable Block Cipher states:

The number of 128-bit blocks in the data unit shall not exceed $2^{128}-2$. The number of 128-bit blocks should not exceed $2^{20}$.

From what I understood, data units are sectors, so a sector can have at most $2^{128}-2$ blocks but you can only encrypt $2^{20}$ blocks which cannot be correct (it seems too little compared to a disk's capacity).

Answer 1

From what I understood, data units are sectors, so a sector can have at most $2^{128}-2$ blocks but you can only encrypt $2^{20}$ blocks which cannot be correct (it seems too little compared to a disk's capacity).

The data unit is the sector, yes, but both of those quotes only talk about the length of a single data unit. The larger number in the latter reference ("shall not"), is an absolute bound, while the second ("should not") is a recommendation.

The recommendation from the second reference is that a sector should be no larger than $128 \cdot 2^{20}$ bits, i.e. 16 MiB. SP 800-38E makes this recommendation a requirement:

The length of the data unit for any instance of an implementation of XTS-AES shall not exceed $2^{20}$ AES blocks. Note that Subclause 5.1 of Ref.[2] recommends this limit but does not require it.

(The ref above is to the IEEE standard based on the draft spec you linked.)

---

The total disk capacity encrypted can be much larger, since it consists of many sectors. For recommendations, you can see appendix D.4 of the second specification, where $2^{36}$ and $2^{40}$ (1 TiB and 16 TiB) AES blocks are mentioned.