As far as I know the only disadvantage that XEX has when compared to CTR is that you need a block cipher/permutation while CTR is fine with just a hash function. Meanwhile XEX offers the advantage that it is more misuse-resistant (reuse of the counter/nonce breaks CTR but this is not an issue with XEX) and less malleabile. Considering that, why is XEX almost never used outside of disk encryption?
Asked
Active
Viewed 424 times
1 Answers
4
If CPA-security is sufficient, then CTR is sufficient. If you need authenticated encryption (or CCA), then neither XEX/XTS nor CTR is sufficient and you should be using AES-GCM or something similar. In general, as soon as you want something that is "less malleable" then you consider malleability a threat and you should be using authenticated encryption. If you are worried about nonce misuse resistance, then likewise you should be using such a scheme (SIV or GCM-SIV, etc.).
There is just no good reason to use XEX/XTS, except when you have a severe limitation like in disk encryption that you cannot increase the sector size.
Yehuda Lindell
- 28,270
- 1
- 69
- 86