NIST-800-57-1 implies that a key derived from a KDF is as good as a key derived from a real CSPRNG in 8.2.4 (2):

If the key derivation key is known to an opponent, it can generate anyone

the derived key. Therefore, keys are derived from a key derivation key

are only as secure as the key activation key itself. As long as the

Key derivation keys are kept secret, the derived keys can be used in the

the same way as randomly generated keys.

The IEEE recommendation in IEEE P1619 / D16 is not to encrypt more than "a few hundred terabytes" with a single key, so that the security certificate for XEX guarantees that attacks are unlikely to fail:

```
43 • Use of a single cryptographic key for more than a few hundred terabytes of data opens possibility of
44 attacks, as described in D.4.3. The limitation on the size of data encrypted with a single key is not
45 unique to this standard. It comes directly from the fact that AES has a block size of 128 bits and is not
46 mitigated by using AES with a 256-bit key.
```

The problem here is that if you encrypt more than 1 TB of blocks, the proof of security for the indistinguishability of cipher text does not apply. Quoting from comments about XTS mode that clarify the matter more than:

When Appendix D.4.3 states that the same key should not encrypt more than

240 blocks (approx. 16 terabytes – not 1 terabyte), this is with the

extremely conservative probability of a distinctive attack

Success with a probability of 1 in 253, which is extraordinary

conservative. D.4.3 also shows that a petabyte is encrypted

limits the probability of an attack's success to no more than 2-37,

and encrypting an exabyte no longer limits the likelihood of success

than 2-17. This is the guarantee based on the safety certificate and the

The actual likelihood of a successful discrimination attack could be

lower if further investigations tighten the security limits. Also the

The result of success in this attack is the distinction

XTS from an ideal block encryption that can be optimized so as not to restore it

Encryption key or plain text. In essence, this is the point at which the

The security corresponds approximately to that of the ECB mode.

My question is, can KDF solve this problem?

Given a sector number `I`

Plain text `P`

and key `K`

, normally the encryption with XTS looks like this

```
XTS(key=K, plaintext=P, sector=I)
```

Would use instead

```
XTS(key=KDF(key=K, salt=I%10), plaintext=P, sector=I)
```

Do you allow us to encrypt ten times more data while the security guarantee is still valid?

On the one hand, it seems impossible. Basically we use KDF as CSPRNG. That makes no sense.

On the other hand, it seems acceptable to take the NIST recommendations literally.

The crux of the problem, as I understand it, is that XTS is used `128`

Bits Block, there is a good change, you will find two identical blocks if you encrypt enough data.

But will the problem really be mitigated if the attacker doesn't have two identical blocks?

```
C = XTS(K, I, P_1)
C = XTS(K, J, P_2)
```

The attacker has

```
C = XTS(KDF(K, I%10), I, P_1)
C = XTS(KDF(K, J%10), J, P_2)
```

I am happy to receive information on this topic.