Results 1 - 10
of
32
HCH: A new tweakable enciphering scheme using the hash-encrypt-hash approach
- in Lecture Notes in Computer Science
"... the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi–Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses two universal hash computations ..."
Abstract
-
Cited by 31 (13 self)
- Add to MetaCart
(Show Context)
the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi–Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses two universal hash computations with a counter mode of encryption in-between. This approach was first proposed by McGrew–Viega to build a scheme called XCB and later used by Wang–Feng–Wu, to obtain a scheme called HCTR. A unique feature of HCH compared to all known tweakable enciphering schemes is that HCH uses a single key, can handle arbitrary length messages, and has a quadratic security bound. An important application of a tweakable enciphering scheme is disk encryption. HCH is well suited for this application. We also describe a variant, which can utilize precomputation and makes one less block cipher call. This compares favorably to other hash-encrypt-hash-type constructions, supports better key agility and requires less key material. Index Terms—Disk encryption, modes of operations, strong pseudorandom permutation, tweakable encryption. I.
Efficient Tweakable Enciphering Schemes from (Block-Wise) Universal Hash Functions
"... Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook m ..."
Abstract
-
Cited by 17 (6 self)
- Add to MetaCart
(Show Context)
Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook mode. A more recent work of this type is TET and is due to Halevi at Crypto 2007. We present a new construction Ψ of an invertible block-wise almost universal hash function. Using this we construct a tweakable enciphering scheme HEH. For variable length messages HEH has better efficiency than TET, while for fixed length messages HEH provides better key agility. HEH can only handle messages whose lengths are multiples of the block length. To tackle this, we define variants of Ψ and present a construction HEH ∗ which can handle partial blocks. We show that the basic universal hash function can be combined with the counter mode of operation and the output feedback (OFB) mode to obtain new tweakable enciphering schemes of the hash-Ctr-hash and the hash-OFB-hash type. The hash-Ctrhash type construction improves upon previous work, while the hash-OFB-hash construction is the first proposal using the OFB mode. An important feature of our work is to show that a new class of polynomials defined by Bernstein can be used to construct the universal hash function. This results in an improvement of efficiency of the hashing layers by almost a factor of two. From a practical point of view, our constructions provide the currently best known algorithms for disk encryption protocols. 1
A new mode of encryption providing a tweakable strong pseudorandom permutation, eprint.iacr.org
, 2006
"... Abstract. We present PEP, which is a new construction of a tweak-able strong pseudo-random permutation. PEP uses a hash-encrypt-hash approach which has been recently used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME ..."
Abstract
-
Cited by 15 (5 self)
- Add to MetaCart
(Show Context)
Abstract. We present PEP, which is a new construction of a tweak-able strong pseudo-random permutation. PEP uses a hash-encrypt-hash approach which has been recently used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME∗. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-random permutation. HCTR is also based on the Naor-Reingold approach but its security bound is weaker than PEP. Compared to previous known constructions, PEP is the only known con-struction of tweakable SPRP which uses a single key, is efficiently paral-lelizable and can handle an arbitrary number of blocks.
Robust authenticated-encryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticated-encryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract
-
Cited by 13 (3 self)
- Add to MetaCart
Abstract. With a scheme for robust authenticated-encryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a well-optimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCB-AES or CTR-AES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provable-security tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitrary-input blockciphers, authenticated encryption, robust AE, misuse resistance,
How to Enrich the Message Space of a Cipher
- Fast Software Encryption – FSE ’07, LNCS
, 2007
"... Abstract. Given (deterministic) ciphers E and E that can encipher mes-sages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a str ..."
Abstract
-
Cited by 11 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Given (deterministic) ciphers E and E that can encipher mes-sages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a strong pseudorandom permutation as long as E and E are. Our con-struction works even in the tweakable and VIL (variable-input-length) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provable-security result.
An improved security bound for HCTR
- Fast Software Encryption (FSE 2008), LNCS 5086
, 2008
"... Abstract. HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
(Show Context)
Abstract. HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong pseudorandom permutations are required. In this paper we show that HCTR has a better security bound than what the authors showed. We prove that the distinguishing advantage of an adversary in distinguishing HCTR and its inverse from a random permutation and its inverse is bounded above by 4.5σ 2 /2 n, where n the block-length of the block-cipher and σ is the number of n-block queries made by the adversary (including the tweak). 1
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
"... Abstract. A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TES is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardw ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract. A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TES is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardware implementation of TES applications such as disk encryption. This improvement is achieved without loss in efficiency of encryption and decryption compared to the best previously known schemes.
Reconfigurable Hardware Implementations of Tweakable Enciphering Schemes,” Report 2007/437, Cryptology ePrint Archive
, 2007
"... Abstract—Tweakable enciphering schemes are length-preserving block cipher modes of operation that provide a strong pseudorandom permutation. It has been suggested that these schemes can be used as the main building blocks for achieving in-place disk encryption. In the past few years, there has been ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Tweakable enciphering schemes are length-preserving block cipher modes of operation that provide a strong pseudorandom permutation. It has been suggested that these schemes can be used as the main building blocks for achieving in-place disk encryption. In the past few years, there has been an intense research activity toward constructing secure and efficient tweakable enciphering schemes. But actual experimental performance data of these newly proposed schemes are yet to be reported. In this paper, we present optimized FPGA implementations of six tweakable enciphering schemes, namely, HCH, HCTR, XCB, EME, HEH, and TET, using a 128-bit AES core as the underlying block cipher. We report the performance timings of these modes when using both pipelined and sequential AES structures. The universal polynomial hash function included in the specification of HCH, HCHfp (a variant of HCH), HCTR, XCB, TET, and HEH was implemented using a Karatsuba multiplier as the main building block. We provide detailed algorithm analysis of each of the schemes trying to exploit their inherent parallelism as much as possible. Our experiments show that a sequential AES core is not an attractive option for the design of these modes as it leads to rather poor throughput. In contrast, according to our place-and-route results on a Xilinx Virtex 4 FPGA, our designs achieve a throughput of 3.95 Gbps for HEH when using an encryption/decryption pipelined AES core, and a throughput of 5.71 Gbps for EME when using a encryption-only pipeline AES core. The performance results reported in this paper provide experimental evidence that hardware implementations of tweakable enciphering schemes can actually match and even outperform the data rates achieved by state-of-the-art disk controllers, thus showing that they might be used for achieving provably secure in-place hard disk encryption. Index Terms—Disk encryption, tweakable enciphering schemes, block cipher modes of operation, Karatsuba multiplier, hardware accelerator, FPGA. Ç
Optimally Secure Tweakable Blockciphers
- Software Encryption - FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre- and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweak-dependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweak-dependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.
A Modular Framework for Building Variable-Input-Length Tweakable Ciphers
"... Abstract. We present the Protected-IV construction (PIV) a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphe ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract. We present the Protected-IV construction (PIV) a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphers with performance competitive with existing birthday-bound-limited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT1 and TCT2; the latter is fast and has beyond birthday-bound security, the former is faster and has birthday-bound security. Finally, we consider a generic method for turning a VIL tweakable cipher (like PIV) into an authenticated encryption scheme that admits associated data, can withstand nonce-misuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.
