XPCBC and WBM: Disk encryption modes of operation.

I designed some new modes of operations, which are all based on PCBC mode. They are storage media modes, i.e. disk encryption modes, and should not be used in other contexts, i.e., to encrypt traffic for example.

I made them because I am interested in designing a storage media mode which could easily hide large regions of highly redundant data together with high resistance to attempts to see data shapes through difference between (two) storage media images.

I just post them for review, if anyone is interested.

Of course, they may contain fatal mistakes and be buggy, but that’s it - they are published for free, and I waive from any copyrights over them, pushing them to public domain. You can use them for free, absolutely, you do not even need to put my name into license blocks of your software.

Below are short descriptions (more in README).


XPCBC is single pass mode based on PCBC mode.

XPCBC applies classic PCBC mode per each sector being encrypted. Each disk sector of, say, 512 byte size is encrypted with PCBC independently, with sector IV being derived from the current cipher block number. Deriving is simple: just encrypt the block number with current key.

XPCBC has an improvement over modes like XEX/XTS: the space after change gets mangled too.

In XTS case, only single ciphertext block is mangled. In XPCBC case, all other ciphertext block after the block with a change are also mangled.

XPCBC scheme:

  • Encrypt sector in PCBC mode,
  • PCBC encryption is done with IV derived from sector number.

XPCBC advantages:

  • “Mechanical” mode of operation, no special math/tables required, easy to understand and implement,
  • Works even faster than XTS due to lack of Galois multiplication operation,
  • Not restricted to 128 bit block size, can be applied to any other cipher,
  • Mangles more data on change than XTS.

XPCBC flaws:

  • Data before change inside sector is NOT mangled,
  • If change happened inside last ciphertext block of sector, XPCBC works just like XTS,
  • Inherits any known and unknown PCBC flaws.


WBM is two-pass mode based on CBC and PCBC modes.

WBM is Wide Block Mode: a mode which mangles whole sector on each change anywhere inside that sector.

WBM mangles data before and after the change, including the change, at cost of double encryption, thus, performance is half of XTS or XPCBC.

WBM scheme:

  • Encrypt sector in CBC,
  • XOR (compress) encrypted sector into a header CBC-MAC hashsum,
  • XOR CBC-MAC hashsum with plaintext of first sector ciphertext block,
  • Encrypt the formed sector again with PCBC, enforcing the change by influenced hashsum header,
  • CBC/PCBC encryptions are done with IV derived from sector number.

WBM features:

  • Whole sector content is changed after a small or large change inside plaintext version of sector,
  • As XPCBC, it is “mechanical” mode of operaion that does not require special math or tables,
  • As XPCBC, it is suitable for any cipher with any block size not larger than sector size.

WBM flaws:

  • Twice as slow as XTS or any other “general” block cipher mode of operation such as CBC,
  • Number of sectors cannot exceed 2^(cipher_block_size/2), thus, for AES, the maximum number will be 2^64.

Reuse policy

The code and ideas are placed into public domain. Author hopes they will be useful, but WITHOUT ANY WARRANTY OF ANY KIND. If you will loose data (both due corruption or data theft), you are only the person responsible for your decision to use these ideas, not me. I hope this is clear.

Written on March 12, 2019