Inside the Windows Vista Disk Encryption Algorithm

Testing Methodology

In examining the cryptographic strength of AES-CBC + Elephant, we ran four tests on the cipher:

• Test1 tests if changing any bit in the ciphertext will be associated with changing a specific bit(s) in the plaintext. This assures that manipulating ciphertext will not lead to a predicted change in the plaintext (a bit-flipping attack "where flipping a bit in ciphertext will be associated by a flipping of a certain bit in plaintext").
• Test2 tests if changing any bit in the plaintext will be associated with changing a specific bit(s) in the ciphertext. This assures that manipulating plaintext will not lead to a predicted change in ciphertext.
• Test3 measures the avalanche effect in the encryption direction (the effect of changing one bit of plaintext on the ciphertext). A good cipher will have roughly half the bits of the ciphertext changed due to a single bit change in plaintext.
• Test4 measures the avalanche effect in the decryption direction (the effect of changing one bit of ciphertext on the plaintext). This is to process the poor man's authentication; that is, changing one bit in the ciphertext suggests that roughly half the plaintext will be scrambled.

AES-CBC + Elephant Diffuser

We first tested the current implementation of the cipher using the four tests. The cipher passed them all. Then we studied the ability of reducing the number of runs of Diffuser A and Diffuser B to increase performance. Our results were:

• Test1. Diffuser A should run at least two times.
• Test2. The diffusion layer can be omitted and the cipher will pass.
• Test3. Diffuser B should run at least one time.
• Test4. Diffuser A should run at least two times.

What we learned was that you can achieve maximum performance (without sacrificing the statistical properties of AES-CBC + Elephant diffuser) when running Diffuser A for two times and Diffuser B for one time.

AES-ECB + Elephant Diffuser

With the widespread use of dual-core processors, speeding up encryption using parallelization is possible. With this in mind, we replaced the AES-CBC layer (which is, by definition, sequential) with the AES-ECB layer (which can easily be parallelized). Figure 2 shows the modified cipher. We only need 128-bits as a sector key to be XORed with the plaintext. Note that we added a block counter to the drive sector key before it is XORed with the plaintext. This counter has the value of 0 for the first plaintext and is incremented by 1 for each plaintext within the block (until it reaches the value of 31). This counter was added on to the original design to make each plaintext dependent on its position within the block.

Figure 2: Overview of AES-ECB + Elephant diffuser.

When applying the four tests, the results show that if we use the current implementation of the diffuser layer, the modified cipher passes all the tests. With this in mind, we then examined whether we could reduce the number of runs of Diffuser A and Diffuser B, thereby increasing performance. Our results were:

• Test1. Diffuser A should run at least two times.
• Test2. The diffusion layer can be omitted and the cipher will pass it.
• Test3. Diffuser B should run at least two times.
• Test4. Diffuser A should run at least two times.

From the results, we determined that you can achieve maximum performance without sacrificing the statistical properties of the AES-ECB + Elephant diffuser when running both Diffuser A and Diffuser B, each for two times.