Wide-Block Cipher Support and HCTR2 for Storage Encryption

Explore wide-block cipher support and HCTR2 in this 26-minute conference talk by Nathan Huckleberry from Google. Delve into the limitations of narrow-block ciphers like AES-XTS for storage encryption and discover why wide-block ciphers are better suited for this purpose. Learn about HCTR2, a new wide-block encryption mode being added to the Linux Crypto API, and its advantages in providing more secure storage encryption with minimal performance loss. Gain insights into the background of wide-block cipher modes, Linux's wide-block cipher support, HCTR2's design, and its application to filename encryption in ext4 and f2fs filesystems. Understand the importance of IV reuse in disk and filename encryption, the differences between narrow and wide block sector modifications, and the concept of tweakable PRPs and SPRPs.

Intro
Storage Encryption
IV Reuse in Disk Encryption
Narrow Block Modes
Narrow Block Sector Modification
Disk Corruption Granularity
Randomized Corruption
How to Fix
Wide Block Sector Modification
Wide Block Ciphers (Tweakable PRPs)
IV Reuse in Filename Encryption
Variable Length Ciphers (Tweakable SPRP)
Tweakable SPRP to Tweakable PRP
Tweakable SPRP to AEAD
Advantages over XTS
Disadvantages
TSPRP Support in Linux kernel
Use Cases in Kernel