Plaintext Recovery Attacks against XTS Beyond Collisions

XTS is an encryption scheme for storage devices standardized by IEEE and NIST. It is based on Rogaway\u27s XEX tweakable block cipher and is known to be secure up to the collisions between the blocks, thus up to around $2^{n/2}$ blocks for $n$-bit blocks. However this only implies that the theoretical indistinguishability notion is broken with $O(2^{n/2})$ queries and does not tell the practical risk against the plaintext recovery if XTS is targeted. We show several plaintext recovery attacks against XTS beyond collisions, and evaluate their practical impacts