Results 1  10
of
33
HCH: A new tweakable enciphering scheme using the hashencrypthash approach
 in Lecture Notes in Computer Science
"... the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi–Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses two universal hash computations ..."
Abstract

Cited by 31 (13 self)
 Add to MetaCart
(Show Context)
the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi–Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses two universal hash computations with a counter mode of encryption inbetween. This approach was first proposed by McGrew–Viega to build a scheme called XCB and later used by Wang–Feng–Wu, to obtain a scheme called HCTR. A unique feature of HCH compared to all known tweakable enciphering schemes is that HCH uses a single key, can handle arbitrary length messages, and has a quadratic security bound. An important application of a tweakable enciphering scheme is disk encryption. HCH is well suited for this application. We also describe a variant, which can utilize precomputation and makes one less block cipher call. This compares favorably to other hashencrypthashtype constructions, supports better key agility and requires less key material. Index Terms—Disk encryption, modes of operations, strong pseudorandom permutation, tweakable encryption. I.
Efficient Tweakable Enciphering Schemes from (BlockWise) Universal Hash Functions
"... Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook m ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We present several constructions of tweakable enciphering schemes which use a single encryption layer between two layers of universal hash function computation. The earliest known construction of this type is due to Naor and Reingold, where the encryption layer is the electronic codebook mode. A more recent work of this type is TET and is due to Halevi at Crypto 2007. We present a new construction Ψ of an invertible blockwise almost universal hash function. Using this we construct a tweakable enciphering scheme HEH. For variable length messages HEH has better efficiency than TET, while for fixed length messages HEH provides better key agility. HEH can only handle messages whose lengths are multiples of the block length. To tackle this, we define variants of Ψ and present a construction HEH ∗ which can handle partial blocks. We show that the basic universal hash function can be combined with the counter mode of operation and the output feedback (OFB) mode to obtain new tweakable enciphering schemes of the hashCtrhash and the hashOFBhash type. The hashCtrhash type construction improves upon previous work, while the hashOFBhash construction is the first proposal using the OFB mode. An important feature of our work is to show that a new class of polynomials defined by Bernstein can be used to construct the universal hash function. This results in an improvement of efficiency of the hashing layers by almost a factor of two. From a practical point of view, our constructions provide the currently best known algorithms for disk encryption protocols. 1
A new mode of encryption providing a tweakable strong pseudorandom permutation, eprint.iacr.org
, 2006
"... Abstract. We present PEP, which is a new construction of a tweakable strong pseudorandom permutation. PEP uses a hashencrypthash approach which has been recently used in the construction of HCTR. This approach is different from the encryptmaskencrypt approach of constructions such as CMC, EME ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present PEP, which is a new construction of a tweakable strong pseudorandom permutation. PEP uses a hashencrypthash approach which has been recently used in the construction of HCTR. This approach is different from the encryptmaskencrypt approach of constructions such as CMC, EME and EME∗. The general hashencrypthash approach was earlier used by NaorReingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the NaorReingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudorandom permutation. HCTR is also based on the NaorReingold approach but its security bound is weaker than PEP. Compared to previous known constructions, PEP is the only known construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.
Robust authenticatedencryption: AEZ and the problem that it solves
, 2014
"... Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and inve ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
Abstract. With a scheme for robust authenticatedencryption a user can select an arbitrary value λ ≥ 0 and then encrypt a plaintext of any length into a ciphertext that’s λ characters longer. The scheme must provide all the privacy and authenticity possible for the requested λ. We formalize and investigate this idea, and construct a welloptimized solution, AEZ, from the AES round function. Our scheme encrypts strings at almost the same rate as OCBAES or CTRAES (on Haswell, AEZ has a peak speed of about 0.7 cpb). To accomplish this we employ an approach we call accelerated provable security: the scheme is designed and proven secure in the provablesecurity tradition, but, to improve speed, one instantiates by scaling down most instances of the underlying primitive. Keywords:AEZ, arbitraryinput blockciphers, authenticated encryption, robust AE, misuse resistance,
How to Enrich the Message Space of a Cipher
 Fast Software Encryption – FSE ’07, LNCS
, 2007
"... Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a str ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Given (deterministic) ciphers E and E that can encipher messages of l and n bits, respectively, we construct a cipher E ∗ = XLS[E, E] that can encipher messages of l+ s bits for any s < n. Enciphering such a string will take one call to E and two calls to E. We prove that E ∗ is a strong pseudorandom permutation as long as E and E are. Our construction works even in the tweakable and VIL (variableinputlength) settings. It makes use of a multipermutation (a pair of orthogonal Latin squares), a combinatorial object not previously used to get a provablesecurity result.
An improved security bound for HCTR
 Fast Software Encryption (FSE 2008), LNCS 5086
, 2008
"... Abstract. HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong pseudorandom permutations are required. In this paper we show that HCTR has a better security bound than what the authors showed. We prove that the distinguishing advantage of an adversary in distinguishing HCTR and its inverse from a random permutation and its inverse is bounded above by 4.5σ 2 /2 n, where n the blocklength of the blockcipher and σ is the number of nblock queries made by the adversary (including the tweak). 1
Tweakable Enciphering Schemes Using Only the Encryption Function of a Block Cipher
"... Abstract. A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TES is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardw ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. A new construction of block cipher based tweakable enciphering schemes (TES) is described. The major improvement over existing TES is that the construction uses only the encryption function of the underlying block cipher. Consequently, this leads to substantial savings in the size of hardware implementation of TES applications such as disk encryption. This improvement is achieved without loss in efficiency of encryption and decryption compared to the best previously known schemes.
A Modular Framework for Building VariableInputLength Tweakable Ciphers
"... Abstract. We present the ProtectedIV construction (PIV) a simple, modular method for building variableinputlength tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthdaybound secure tweakable ciphe ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present the ProtectedIV construction (PIV) a simple, modular method for building variableinputlength tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthdaybound secure tweakable ciphers with performance competitive with existing birthdayboundlimited constructions. As part of our design space exploration, we give two fully instantiated PIV constructions, TCT1 and TCT2; the latter is fast and has beyond birthdaybound security, the former is faster and has birthdaybound security. Finally, we consider a generic method for turning a VIL tweakable cipher (like PIV) into an authenticated encryption scheme that admits associated data, can withstand noncemisuse, and allows for multiple decryption error messages. Thus, the method offers robustness even in the face of certain sidechannels, and common implementation mistakes.
Optimally Secure Tweakable Blockciphers
 Software Encryption  FSE 2015, volume 9054 of LNCS
, 2015
"... Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. We consider the generic design of a tweakable blockcipher from one or more evaluations of a classical blockcipher, in such a way that all input and output wires are of size n bits. As a first contribution, we show that any tweakable blockcipher with one primitive call and arbitrary linear pre and postprocessing functions can be distinguished from an ideal one with an attack complexity of about 2n/2. Next, we introduce the tweakable blockcipher F ̃ [1]. It consists of one multiplication and one blockcipher call with tweakdependent key, and achieves 22n/3 security. Finally, we introduce F ̃ [2], which makes two blockcipher calls, one of which with tweakdependent key, and achieves optimal 2n security. Both schemes are more efficient than all existing beyond birthday bound tweakable blockciphers known to date, as long as one blockcipher key renewal is cheaper than one blockcipher evaluation plus one universal hash evaluation.
A New Universal Hash Function and Other Cryptographic Algorithms Suitable for Resource Constrained Devices
"... Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we sh ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. A new multilinear universal hash family is described. Messages are sequences over a finite field IFq while keys are sequences over an extension field IFq n. A linear map ψ from IFqn to itself is used to compute the output digest. Of special interest is the case q = 2. For this case, we show that there is an efficient way to implement ψ using a tower field representation of IFq n. Such a ψ corresponds to a word oriented LFSR. We describe a method of combining the new universal hash function and a stream cipher with IV to obtain a MAC algorithm. Further, we extend the basic universal hash function to an invertible blockwise universal hash function. Following the NaorReingold approach, this is used to construct a tweakable enciphering scheme which uses a single layer of encryption and no finite field multiplications. From an efficiency viewpoint, the focus of all our constructions is small hardware and other resource constrained applications. For such platforms, our constructions compare favourably to previous work.