NIST-800-57-1 implies that a key derived from a KDF is as good as a key derived from a real CSPRNG in 8.2.4 (2):
If the key derivation key is known to an opponent, it can generate anyone
the derived key. Therefore, keys are derived from a key derivation key
are only as secure as the key activation key itself. As long as the
Key derivation keys are kept secret, the derived keys can be used in the
the same way as randomly generated keys.
The IEEE recommendation in IEEE P1619 / D16 is not to encrypt more than "a few hundred terabytes" with a single key, so that the security certificate for XEX guarantees that attacks are unlikely to fail:
43 • Use of a single cryptographic key for more than a few hundred terabytes of data opens possibility of 44 attacks, as described in D.4.3. The limitation on the size of data encrypted with a single key is not 45 unique to this standard. It comes directly from the fact that AES has a block size of 128 bits and is not 46 mitigated by using AES with a 256-bit key.
The problem here is that if you encrypt more than 1 TB of blocks, the proof of security for the indistinguishability of cipher text does not apply. Quoting from comments about XTS mode that clarify the matter more than:
When Appendix D.4.3 states that the same key should not encrypt more than
240 blocks (approx. 16 terabytes – not 1 terabyte), this is with the
extremely conservative probability of a distinctive attack
Success with a probability of 1 in 253, which is extraordinary
conservative. D.4.3 also shows that a petabyte is encrypted
limits the probability of an attack's success to no more than 2-37,
and encrypting an exabyte no longer limits the likelihood of success
than 2-17. This is the guarantee based on the safety certificate and the
The actual likelihood of a successful discrimination attack could be
lower if further investigations tighten the security limits. Also the
The result of success in this attack is the distinction
XTS from an ideal block encryption that can be optimized so as not to restore it
Encryption key or plain text. In essence, this is the point at which the
The security corresponds approximately to that of the ECB mode.
My question is, can KDF solve this problem?
Given a sector number
P and key
K, normally the encryption with XTS looks like this
XTS(key=K, plaintext=P, sector=I)
Would use instead
XTS(key=KDF(key=K, salt=I%10), plaintext=P, sector=I)
Do you allow us to encrypt ten times more data while the security guarantee is still valid?
On the one hand, it seems impossible. Basically we use KDF as CSPRNG. That makes no sense.
On the other hand, it seems acceptable to take the NIST recommendations literally.
The crux of the problem, as I understand it, is that XTS is used
128 Bits Block, there is a good change, you will find two identical blocks if you encrypt enough data.
But will the problem really be mitigated if the attacker doesn't have two identical blocks?
C = XTS(K, I, P_1) C = XTS(K, J, P_2)
The attacker has
C = XTS(KDF(K, I%10), I, P_1) C = XTS(KDF(K, J%10), J, P_2)
I am happy to receive information on this topic.