27 research outputs found
Tweakable HCTR: A BBB Secure Tweakable Enciphering Scheme
\textsf{HCTR}, proposed by Wang et al., is one of the most efficient candidates of tweakable enciphering schemes that turns an -bit block cipher into a variable input length tweakable block cipher. Wang et al. have shown that \textsf{HCTR} offers a cubic security bound against all adaptive chosen plaintext and chosen ciphertext adversaries. Later in FSE 2008, Chakraborty and Nandi have improved its bound to , where is the total number of blocks queried and is the block size of the block cipher. In this paper, we propose \textbf{tweakable \textsf{HCTR}} that turns an -bit tweakable block cipher to a variable input length tweakable block cipher by replacing all the block cipher calls of \textsf{HCTR} with tweakable block cipher. We show that when there is no repetition of the tweak, tweakable \textsf{HCTR} enjoys the optimal security against all adaptive chosen plaintext and chosen ciphertext adversaries. However, if the repetition of the tweak is limited, then the security of the construction remains close to the security bound in no repetition of the tweak case. Hence, it gives a graceful security degradation with the maximum number of repetition of tweaks
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
A new construction of block cipher based tweakable enciphering schemes (TES) is described. The
major improvement over existing TES is that the construction uses only the encryption function
of the underlying block cipher. Consequently, this leads to substantial savings in the size of
hardware implementation of TES applications such as disk encryption. This improvement is achieved
without loss in efficiency of encryption and decryption compared to the best previously known
schemes
Adiantum: length-preserving encryption for entry-level processors
We present HBSH, a simple construction for tweakable length-preserving encryption which supports the fastest options for hashing and stream encryption for processors without AES or other crypto instructions, with a provable quadratic advantage bound. Our composition Adiantum uses NH, Poly1305, XChaCha12, and a single AES invocation. On an ARM Cortex-A7 processor, Adiantum decrypts 4096-byte messages at 10.6 cycles per byte, over five times faster than AES-256-XTS, with a constant-time implementation. We also define HPolyC which is simpler and has excellent key agility at 13.6 cycles per byte
FAST: Disk Encryption and Beyond
This work introduces \sym{FAST} which is a new family of tweakable enciphering schemes. Several instantiations of \sym{FAST} are
described. These are targeted towards two goals, the specific task of disk encryption and a more general scheme suitable for
a wide variety of practical applications. A major contribution of this work is to present detailed and careful software implementations of
all of these instantiations. For disk encryption, the results from the implementations show
that \sym{FAST} compares very favourably to the IEEE disk encryption standards XCB and EME2 as well as the more recent proposal
AEZ.
\sym{FAST} is built using a fixed input length pseudo-random function
and an appropriate hash function. It uses a single-block key, is parallelisable and can be instantiated using only the encryption
function of a block cipher.
The hash function can be instantiated using either the Horner\u27s rule based usual polynomial hashing or hashing based on the more efficient
Bernstein-Rabin-Winograd polynomials. Security of \sym{FAST} has been rigorously analysed using the standard provable security
approach and concrete security bounds have been derived.
Based on our implementation results, we put forward \sym{FAST} as a serious candidate for standardisation and deployment
Length-preserving encryption with HCTR2
On modern processors HCTR is
one of the most efficient constructions
for building a tweakable super-pseudorandom permutation. However,
a bug in the specification and another in
Chakraborty and Nandi\u27s security proof
invalidate the claimed security bound. We here present HCTR2,
which fixes these issues and improves the
security bound, performance and flexibility.
GitHub: https://github.com/google/hctr
Disk Encryption: Do We Need to Preserve Length?
In the last one-and-a-half decade there has been a lot of activity towards development of cryptographic techniques for disk
encryption. It has been almost canonised that an encryption scheme suitable for the application of disk encryption must be
length preserving, i.e., it rules out the use of schemes like authenticated encryption where an authentication tag is also
produced as a part of the ciphertext resulting in ciphertexts being longer than the corresponding plaintexts. The notion of
a tweakable enciphering scheme (TES) has been formalised as the appropriate primitive for disk encryption and it has been argued
that they provide the maximum security possible for a tag-less scheme. On the other hand, TESs are less efficient than some
existing authenticated encryption schemes. Also TES cannot provide true authentication as they do not have authentication tags.
In this paper, we analyze the possibility of the use of encryption schemes where length expansion is produced for
the purpose of disk encryption. On the negative side, we argue that nonce based authenticated encryption schemes are not appropriate
for this application. On the positive side, we demonstrate that deterministic authenticated encryption (DAE) schemes may
have more advantages than disadvantages compared to a TES when used for disk encryption. Finally, we propose a new deterministic
authenticated encryption scheme called BCTR which is suitable for this purpose. We provide the full specification of BCTR, prove
its security and also report an efficient implementation in reconfigurable hardware. Our experiments suggests that BCTR performs
significantly better than existing TESs and existing DAE schemes
Efficient Hardware Implementations of BRW Polynomials and Tweakable Enciphering Schemes
A new class of polynomials was introduced by Bernstein (Bernstein 2007) which were later named by Sarkar as Bernstein-Rabin-Winograd (BRW) polynomials (Sarkar 2009). For the purpose of authentication, BRW polynomials offer considerable computational advantage over usual polynomials: multiplications for usual polynomial hashing versus multiplications and squarings for BRW hashing, where is the number of message blocks to be authenticated. In this paper, we develop an efficient pipelined hardware architecture for computing BRW polynomials. The BRW polynomials have a nice recursive structure
which is amenable to parallelization. While exploring efficient ways to exploit the inherent parallelism in BRW polynomials we discover some interesting combinatorial structural properties of such polynomials. These are used to design an algorithm to decide the order of the multiplications which minimizes pipeline
delays. Using the nice structural properties of the BRW polynomials we present a hardware architecture for efficient computation of BRW polynomials. Finally we provide implementations of tweakable enciphering schemes proposed in Sarkar 2009
which uses BRW polynomials. This leads to the fastest known implementation of disk encryption systems