IEEE Std 1619-2018 pdf download – IEEE Standard for Cryptographic Protection of Data on Block- Oriented Storage Devices.
5. XTS-AES transform 5.1 Data units and tweaks This standard applies to encryption of a data stream divided into consecutive equal-size data units, where the data stream refers to the information that has to be encrypted and stored on the storage device. Information that is not to be encrypted is considered to be outside of the data stream. The data unit size shall be at least 128 b. Data unit should be divided into 128-b blocks. Last part of the data unit might be shorter than 128 b. The total number of 128-b blocks shall not exceed 2 64 . The number of 128-b blocks within the data unit shall not exceed 2 20 . A compliant implementation shall support ciphertext stealing if it also supports data unit sizes that are not multiples of 128 b. Each data unit is assigned a tweak value that is a nonnegative integer. The tweak values are assigned consecutively, starting from an arbitrary nonnegative integer. When encrypting a tweak value using AES, the tweak is first converted into a little-endian byte array. For example, tweak value 123456789a 16 corresponds to byte array 9a 16 ,78 16 ,56 16 ,34 16 ,12 16 . The mapping between the data unit and the transfer, placement, and composition of data on the storage device is beyond the scope of this standard. Devices compliant with this standard should include documentation describing this mapping. In particular, a single data unit does not necessarily correspond to a single logical block on the storage device. For example, several logical blocks might correspond to a single data unit. Data stream, as used in this standard, does not necessarily refer to all of the bits sent to be stored in the storage device. For example, if only part of a logical block is encrypted, only the encrypted bytes are viewed as the data stream, i.e., input to the encryption algorithm in this standard.
6. Using XTS-AES-128 and XTS-AES-256 for encryption of storage The encryption and decryption procedures described in 5.3 and 5.4 use AES as the basic building block. If the XTS-AES key consists of 256 b, the procedures use 128-b AES; if the XTS-AES key consists of 512 b, the procedures use 256-b AES. For completeness, the first mode shall be referred to as XTS-AES-128 and the second as XTS-AES-256. To be compliant with the standard, the implementation shall support at least one of the above modes. Key scope defines the range of data encrypted with a single XTS-AES key. The key scope is represented by the following three values: a) Value of the tweak associated with the first data unit in the sequence of data units encrypted by this key b) The size in bits of each data unit c) The number of units to be encrypted/decrypted under the control of this key An implementation compliant with this standard may or may not support multiple data unit sizes. In an application of this standard to sector-level encryption of a disk, the data unit typically corresponds to a logical block, the key scope typically includes a range of consecutive logical blocks on the disk, and the tweak value associated with the first data unit in the scope typically corresponds to the Logical BlockAddress (LBA) associated with the first logical block in the range. An XTS-AES key shall not be associated with more than one key scope.