Technologies are being developed to provide additional security for computer users. Encrypting the sectors on a disk is best done with a block cipher that has a large block size and good diffusion properties. There are currently no industry-standard block ciphers with a sufficiently large block size.
A suitable cipher has two security properties. The encryption property ensures that an attacker cannot recover the plaintext given the ciphertext. The diffusion property ensures that if an attacker makes any modification to the ciphertext of a sector, then the changes in the plaintext of the sector are essentially random over the whole sector. This severely hinders an attacker that tries to attack a computer by modifying the ciphertext stored on the disk.
A suitable cipher should also be fast enough. A slow cipher will result in a significant loss of performance of the disk, thereby reducing the usability of the computer.
Existing ciphers are unsuitable for various reasons. For example, stream ciphers have no diffusion at all, and allow an attacker to flip arbitrary bits in the plaintext. Advanced Encryption Standard (AES) is a well-known block cipher. Cipher block chaining (CBC) is a mode of operation of AES. AES-CBC is typically a leading candidate when data is to be encrypted. For the technologies being developed, AES-CBC is not suitable, due to the lack of diffusion in the CBC decryption operation. If the attacker introduces a change Δ in ciphertext block i, then plaintext block i is randomized, but plaintext block i+1 is changed by Δ. In other words, the attacker can flip arbitrary bits in one block at the cost of randomizing the previous block. This property can be used to attack executables. The instructions can be changed at the start of a function at the cost of damaging whatever data is stored just before the function. With thousands of functions in the code, it is likely that a suitable attack location can be found.
Bear and Lion are two conventional large-block block ciphers. Bear and Lion are very similar in construction. They split the data block into two unequal parts and create a 3- round Luby-Rackoff cipher by using a keyed hash function and a stream cipher to construct the round functions. Bear uses two keyed hash function rounds and one stream cipher round, whereas Lion uses one keyed hash function round and two stream cipher rounds. However, Bear and Lion are too slow. Both ciphers make three passes over the data.
Another cipher is Beast, which is a variation of Bear. It is faster than Bear because it replaces the last round of Bear by a function that does not process the entire data block. However, this change destroys the diffusion properties of the decryption function, making it unsuitable for the newly developed technologies. Though faster than Bear, it still requires two passes over the data—one with a hash function and one with a stream cipher. This is too slow.