With 1.0f (2015) and many changes in the format, we... cherish XTS. I have dont understand why.
Rogaway himself on page 6
"[...]that the nominally "correct" solution for (length-preserving) enciphering of disk sectors and the like is to apply a tweakable, strong PRP (aka wide-blocksize encryption) to the (entire) data unit. That notion is strong, well-studied, easy to understand, and readily achievable. There are now some 15+ proposed schemes in the literature for solving this problem.
If NIST approves the "lite" enciphering mode that is XTS, this should notbe understood to diminish the utility of standardizing a (wide-blocksize) strong PRP.In the end, because of its much weaker security properties, I expect that XTS is an appropriate mechanism choice only in the case that one simply cannot afford the computation or latency associated to computing a
strong PRP. "
OCB3 was published 2011. Ok, with 2 patents. But it would be still FREE for us (also without OSI cert). And I think also without pure GPL in VeraCrypt https://en.wikipedia.org/wiki/OCB_mode#Patents
Have we asked Rogaway for using OCB3? If not, why?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Howdy... (and sorry for... you know ;-) )
With 1.0f (2015) and many changes in the format, we... cherish XTS. I have dont understand why.
Rogaway himself on page 6
"[...]that the nominally "correct" solution for (length-preserving) enciphering of disk sectors and the like is to apply a tweakable, strong PRP (aka wide-blocksize encryption) to the (entire) data unit. That notion is strong, well-studied, easy to understand, and readily achievable. There are now some 15+ proposed schemes in the literature for solving this problem.
If NIST approves the "lite" enciphering mode that is XTS, this should notbe understood to diminish the utility of standardizing a (wide-blocksize) strong PRP.In the end, because of its much weaker security properties, I expect that XTS is an appropriate mechanism choice only in the case that one simply cannot afford the computation or latency associated to computing a
strong PRP. "
On page 7, Bharadwaj and Ferguson... consider
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/collected_XTS_comments.pdf
OCB3 was published 2011. Ok, with 2 patents. But it would be still FREE for us (also without OSI cert). And I think also without pure GPL in VeraCrypt
https://en.wikipedia.org/wiki/OCB_mode#Patents
Have we asked Rogaway for using OCB3? If not, why?