Content uploaded by Wenling Wu
Author content
All content in this area was uploaded by Wenling Wu on Feb 11, 2015
Content may be subject to copyright.
HCTR: A Variable-Input-Length
Enciphering Mode
Peng Wang1, Dengguo Feng1,2, and Wenling Wu2
1State Key Laboratory of Information Security,
Graduate School of Chinese Academy of Sciences, Beijing 100049, China
w.rocking@gmail.com
2State Key Laboratory of Information Security,
Institution of Software of Chinese Academy of Sciences, Beijing 100080, China
{feng, wwl}@is.iscas.ac.cn
Abstract. This paper proposes a blockcipher mode of operation,
HCTR, which is a length-preserving encryption mode. HCTR turns an
n-bit blockcipher into a tweakable blockcipher that supports arbitrary
variable input length which is no less than nbits. The tweak length of
HCTR is fixed and can be zero. We prove that HCTR is a strong tweak-
able pseudorandom permutation (sprp), when the underlying blockcipher
is a strong pseudorandom permutation (sprp). HCTR is shown to be a
very efficient mode of operation when some pre-computations are taken
into consideration. Arbitrary variable input length brings much flexibility
in various application environments. HCTR can be used in disk sector
encryption, and other length-preserving encryptions, especially for the
message that is not multiple of nbits.
Keywords: Blockcipher, tweakable blockcipher, disk sector encryption,
modes of operation, symmetric encryption.
1 Introduction
Basic encryption modes, such as CBC [27], increase the message length. But
in many scenarios, we need a length-preserving encryption (enciphering). For
example, in networking application, some packet format was not defined for
cryptographic purposes, and can not be altered. So when we want add privacy
features, we can not even lengthen one bit. The other example is disk sector
encryption. A disk is partitioned into fixed-length sectors. The sector-level en-
cryption is a low-level encryption. The encryption device knows nothing about
the information of files or directories. It encrypts or decrypts sectors when they
arrive. Suppose the plaintext at the sector location of Tis P, and the encryp-
tion algorithm is
E, then the ciphertext stored in this sector is C=
ET
K(M),
where Kis the secret key. Of course we can not expand the message length, so
|M|=|
ET
K(M)|. That is why we need the concept of tweakable blockcipher in
disk sector encryption. The sector location Tis call tweak, which is also called
associated data in [15, 13].
D. Feng, D. Lin, and M. Yung (Eds.): CISC 2005, LNCS 3822, pp. 175–188, 2005.
c
Springer-Verlag Berlin Heidelberg 2005
176 P. Wang, D. Feng, and W. Wu
In the above example the message length is not always fixed and the same as,
but usually much longer than, that of well known blockciphers such as DES (64
bits) or AES (128 bits) [6]. For example the sector length is typically 512 bytes.
So we need wide-block-length enciphering modes based on blockciphers. When
we have a wide-block-length enciphering mode, we can easily put the tweak into
it using the method in [11] or [8], to get a tweakable enciphering mode.
This paper proposes a tweakable enciphering mode, or an arbitrary-variable-
input-length tweakable blockcipher. We name it HCTR, for it makes use of a
special universal hash function and the CTR mode. If the underlying blockcipher
is E:{0,1}k×{0,1}n→{0,1}n, then our mode supports arbitrary variable
length of at lest nbits, using a (k+n)-bit key and mblockcipher calls to encipher
mblocks plaintext. The length of tweak in HCTR is fixed and can be zero. When
it is zero, HCTR becomes an enciphering mode, or a arbitrary-variable-input-
length blockcipher.
Our HCTR mode is a hash-encipher-hash construction, part of the middle
layer uses the CTR encryption mode. HCTR is similar to the XCB mode [13],
and also can be viewed as a generalization to the basic construction of sprp
in [11]. The ABL mode [15] and the XCB mode [13] are unbalanced Feistel
constructions using universal hash functions as their components. They also
support variable input length, but the secret key is very long (4 keys in ABL
and 5 keys in XCB) and have to be generated from a main key. The CMC
mode [8] and the EME mode [9] are modes without using any universal hash
functions. But they only support the message that is multiple of a block. HCTR
has great advantage among these modes.
The attack-model is an adaptive chosen plaintext/ciphertext attack: an ad-
versary can choose a tweak T,aplaintextPand get a ciphertext C=
ET
K(P); or
choose a tweak T, a ciphertext Cand get a plaintext P=(
ET
K)−1(C). The cur-
rent query can base on previous answers. We prove that HCTR is a strong secure
tweakable blockcipher ( sprp), which is defined as the one indistinguishable from
the independently random permutations indexed by the tweak T. If HCTR is
used in disk sector encryption, the effect is that each sector is encrypted with a
different random permutation independently. This kind of tweakable blockcipher
is under standardization [19] by the IEEE Security in Storage Working Group.
Our proof method adopts the game-play technique [2,26], which was first used
in [10].
We give basic definitions in Section 2. Specification of HCTR is in Section 3.
Section 4 discusses some insure modifications and compares HCTR with other
modes. The concrete security bound is given in Section 5.
1.1 Related Work
Constructions of large-block-size blockciphers from small-block-size blockciphers
can date back to the pioneering work of Luby and Rackoff [12]. They showed that
three rounds of the Feistel structure turns n-bit to n-bit random functions into
a2n-bit secure blockcipher, and four rounds into a strong secure one. Naor and
Reingold [18] showed that two rounds Feistel construction with initial and final
HCTR: A Variable-Input-Length Enciphering Mode 177
strong universal invertible hash functions is enough to construct a strong secure
blockcipher. In [17], they further used this hash-encipher-hash construction to get
a mode of operation, but the hash function is quiet complex. Patel etc. further
discussed the function of universal hash functions in the Feistel construction
[20]. Bellare and Rogaway [1] used a special pseudorandom function and a special
encryption mode to construct a variable-input-length cipher. Patel etc. [21] made
some efficiency improvement to this scheme and the other unbalanced Feistel
construction by using universal hash functions.
The constructions of tweakable blockciphers from scratch involve HPC [24]
and Mercy [5] (although it has been broken by Fluhrer [7]).
Tweakable blockcipher is not only a suitable model for disk sector encryption
and useful in length-preserving encryption, but also a good starting point to do
design problem [11]. Following this thought, Rogaway [22] made refinement to
modes OCB [23] and PMAC [3] using tweakable blockciphers.
2 Basic Definitions
BLOCKCIPHERS AND TWEAKABLE BLOCKCIPHERS.Ablockcipher is a function E:
K×M→Mwhere EK(·)=E(K, ·)isalength-preserving permutation for
all K∈K.K =φis a key space and M =φis a message space.Atweakable
blockcipher is a function
E:K×T ×M→Mwhere
ET
K(·)=
EK(T,·)=
E(K, T, ·)isalength-preserving permutation for all K∈Kand T∈T.Tis a
tweak space.
We write sR
←− Sto denote choosing a random element sfrom a set Sby
uniform distribution. Let Perm(M) be the set of all length-preserving permuta-
tions on M.WhenM={0,1}n,wedenoteitasPerm(n). Let PermT(M)be
the set of all mappings from Tto Perm(M). PermT(M) can also be viewed as
the set of all blockciphers E:T×M→M.IfπR
←− PermT(M), then for every
T∈T,πT(·)=π(T,·) is a random permutation. When M={0,1}n,wedenote
it as PermT(n).
An adversary is a (randomized) algorithm with access to one or more oracles
which are written as superscripts. Without loss of generality, we assume that
adversaries never ask trivial queries whose answers are already known. For ex-
ample, an adversary never repeats a query and never asks (
EK)−1(T,C)after
receiving Cas an answer to
EK(T,M), and so forth. Let Aρ⇒1 be the event
that adversary Awith oracle ρoutputs the bit 1.
prp AND sprp. A tweakable blockcipher
E:K×T ×M→ Mis a (strong)
pseudorandom tweakable permutation (prp or sprp), if it is indistinguishable
from a random tweakable permutation πR
←− PermT(M). More specifically, if
the advantage function
Advprp
E(A)=Pr[KR
←−K:AEK(·,·)⇒1]
−Pr[πR
←− PermT(M):Aπ(·,·)⇒1]
178 P. Wang, D. Feng, and W. Wu
is sufficiently small for any Awith reasonable resources, then
Eis said to be a
pseudorandom tweakable permutation (prp), or a secure tweakable blockcipher,
or secure against chosen plaintext attack. If the advantage function
Advsprp
E(A)=Pr[KR
←−K:AEK(·,·),E−1
K(·,·)⇒1]
−Pr[πR
←− PermT(M):Aπ(·,·),π−1(·,·)⇒1]
is sufficiently small for any Awith reasonable resources, then
Eis said to be a
strong pseudorandom tweakable permutation (sprp),orastrongsecuretweakable
blockcipher, or secure against chosen ciphertext attack.
prp AND sprp. When the tweak space T=φ, the tweakable blockcipher becomes
the blockcipher. A blockcipher E:K×M→Mis a (strong) pseudorandom
permutation (prp or sprp), if it is indistinguishable from a random permutation
πR
←− Perm(M). prp and sprp correspond to prp and sprp respectively.
3 Specification of HCTR
3.1 Notations
Astring is a finite sequence of symbols, each symbol being 0 or 1. A block is a
string of fixed length. The blockcipher and multiplication of the finite field are
operations over blocks. Let {0,1}∗be the set of all strings. If X, Y ∈{0,1}∗,then
X||Yis their concatenation. If X∈{0,1}∗, then the bit-length of X, denoted as
|X|, is the number of bits in X.|X|=0ifandonlyifXis the empty string ε.If
one block is nbits, we can parse Xinto m=|X|/nblocks: X=X1,···,X
m,
where |Xm|≤n,and|X1|=··· =|Xm−1|=n.Let|X|n=|X|/n.Wesay
that |X|has |X|nblocks. X[s] denotes the sth bit of Xfrom left to right. X[s, t]
denotes the substring from the sth bit to the tth bit in Xfrom left to right. For
example, if X= 110011, then X[2,4] = 100. If X, Y ∈{0,1}∗,thenX⊕← Yis
slightly different to X⊕Y.If|X|<|Y|then X⊕←Y=X⊕Y[1,|X|]. If |X|=|Y|
then X⊕←Y=X⊕Y.If|X|>|Y|then X⊕←Y=X⊕Y0∗.
3.2 Multiplication in GF (2n)
We interchangeably think of a block L=(L1,··· ,L
n) as an abstract point in
the finite field GF (2n) and as a polynomial L(x)=L1+L2x+···+Lnxn−1in
GF (2)[x]/(p(x)), where p(x) is an irreducible polynomial of degree nin GF (2)[x].
The addition in GF (2n)isbitwisexor⊕. The multiplication of A, B ∈GF (2n)
is denoted as A·Bwhich can be calculated as A(x)B(x)inGF (2)[x]/(p(x)). If
we choose the blockcipher as AES [6], then the bit-length of a block is 128 bits.
The corresponding irreducible polynomial can be chosen as p(x)=1+x+x2+
x7+x128.
HCTR: A Variable-Input-Length Enciphering Mode 179
3.3 Universal Hash Function
His a function family: H={Hh:{0,1}∗→{0,1}n|h∈{0,1}n}. For any X∈
{0,1}∗,Xis padded into complete blocks and then the polynomial evaluation [4]
is used. Suppose |X|n=m,weparseXinto X=X1,···,X
m.Weappend0s,
possibly none, at the end of Xto complete the block and append |X|,whichis
written as a n-bit string, as the last block. Then we use polynomial evaluation
hash function in hon the padding result. More specifically, Hhis defined as:
Hh(X)=X1·hm+1 ⊕···⊕Xm0∗·h2⊕|X|·h
which can be calculated as following:
Algorithm Hh(X)
parse Xas X1,···,X
m
Y0←0n
for i←1to mdo
Yi←(Yi−1⊕← Xi)·h
Ym+1 ←(Ym⊕|X|)·h
return Ym+1
When Xis empty string, we define that Hh(X)=h.His a special AXU (Almost
Xor Universal) hash function. It has following properties which will be used in
thesecurityproofofHCTR.
1. For any X1,X
2∈{0,1}∗,Y ∈{0,1}nand X1=X2,Hh(X1)⊕Hh(X2)
is a nonzero polynomial in hwithout constant term. So Pr[hR
←−{0,1}n:
Hh(X1)⊕Hh(X2)=Y]≤l/2n,wherel=max{|X|n,|Y|n}+1.Inother
words, His a l/2n-AXU hash function.
2. For any X, Y, Z ∈{0,1}∗,|X|=|Y|,wehaveH(X)⊕H(Y)⊕H(Z)isa
nonzero polynomial in hwithout constant term.
3.4 The CTR Mode
In HCTR we use a special form of the CTR mode:
Algorithm CTRS
K(N)
Y←EK(S⊕1)||···||EK(S⊕m−1)
D←N⊕← Y
return D
where |N|n=m−1, Kis the key and Sis the counter.
3.5 The HCTR Mode
The HCTR mode makes use of a blockcipher Eand the special universal hash
function H. Assume that the blockcipher is E:{0,1}k×{0,1}n→{0,1}n.Then
HCTR[E,H]is
HCTR[E,H]:{0,1}k+n×{0,1}t×{0,1}≥n→{0,1}≥n
where {0,1}≥n=∪m≥n{0,1}mand t≥0.
180 P. Wang, D. Feng, and W. Wu
Hh
Hh
EKCTRK
MN
CD
T
Fig. 1. The HCTR Mode
HCTR[E,H] is illustrated in figure 1. we split the plaintext/ciphertext into
two strings. One is the left nbits, and the other is the rest. We assume that
plaintext/ciphertext has mblocks. More specifically, HCTR is the following
algorithm.
Algorithm HCTRT
K,h(M, N)
MM ←M⊕Hh(N||T)
CC ←EK(MM)
S←MM ⊕CC
D←CTRS
K(N)
C←CC ⊕Hh(D||T)
return (C, D)
Algorithm (HCTRT
K,h)−1(C, D)
CC ←C⊕Hh(D||T)
MM ←E−1
K(CC)
S←MM ⊕CC
N←CTRS
K(D)
M←MM ⊕Hh(N||T)
return (M, N)
4 Discussions
UNIVERSAL HASH FUNCTION.Hin HCTR is a special AXU hash function. We
can not substitute Hby a general AXU hash function. We define a different
universal hash function H
h(X) base on which HCTR is not secure. The main
difference is the padding rule. In the HCTR mode, the padding rule is to append
0s and then the bit-length of Xas in H. Now we first append 1 and then 0s to
turn the bit-length of Xinto multiple of nand then use polynomial evaluation
hash function. Suppose X=X1,···,X
mwhere |X|n=m,and|X1|=··· =
|Xm−1|=n.If|Xm|=n,thenH
h(X)=X1·hm+1 ⊕···⊕Xm·h2⊕10n−1·h.
If |Xm|<n,thenH
h(X)=X1·hm⊕···⊕Xm10∗·h. We can prove that
Pr[hR
←− H:h(X)⊕h(Y)=Z]≤εfor all X, Y ∈{0,1}∗,Z ∈{0,1}n,X =Y.
Here ε=l/2nwhere l=max{|X|n,|Y|n}+1.
HCTR: A Variable-Input-Length Enciphering Mode 181
We now chose the length of tweak as 0: T=φ. In this situation, we can show
that HCTR[E,H] is not even a prp. We first make an arbitrary enciphering
query (M1,N1) such that |N1|=n−1 and get an answer (C1,D
1). If D1[n−
1] = N1[n−1], then we do it again until D1[n−1] =N1[n−1]. Now we
make the other enciphering query (M2,N2) such that M2=M1⊕C1and
N2=(N1⊕D1)[1,n−2]. We get the answer (C2,D
2). Then the input to the
second blockcipher in the last but one query is the same as the input to the
first blockcipher in the last query. Therefore we have that (N1⊕D1)[1,n−2] =
(C2⊕H
h(D2))[1,n−2] or (N1⊕D1)[1,n−2] = (C2⊕h·D210)[1,n−2]. So we
can recover hwith successful probability of 1/4 and get rid of the hash function
layers. Without the hash function layers, we can easily distinguish HCTR from
a random permutation.
LENGTH of TWEAK. The length of tweak is fixed, because in most application
environment there is no need for variable length tweak. We can chose the length
of tweak according to the practical application environment. If we really need
the variable length tweak, we can choose GHASH in [16,14, 13] which is similar
to Hand takes two inputs.
MULTIPLICATION. The multiplication in finite field dominates the efficiency of the
hash function layers. A simple implement of multiplication is even much slower
than one AES call. But notice that the key his a constant during the enciphering
course, therefore we can do some pre-computations before enciphering. This
time-memory tradeoffs greatly speeds up the hash function, though a bit more
storage is needed. See [16, 25] for specific discussions.
CMC EME ABL XCB HCTR
Keys 2 1 4 5 2
Blockciphers 2m+1 2m+1 2m−2m+1 m
Universal hash 0 0 2 2 2
Variable Input ×Multiple √ √ √
Length of nbits
Parallelizable ×Almost Partially Partially Partially
COMPARISONS. We compare HCTR with other enciphering modes, such as CMC,
EME, ABL, and XCB, from several aspects. Suppose that we encrypt an message
of mblocks. We list the comparisons in the above table. The first is the number
of key. The second and third are the invocation number of the blockcipher and
universal hash function. The following is whether the mode is parallelizable. In
blockciphers, every bit of input bit must effect every bit of output. So there is
no full parallelization. Even in the EME mode, the last layer must begin after
the first layer is completely finished. In the HCTR mode, the CTR encryption
can be parallelizable.
182 P. Wang, D. Feng, and W. Wu
5 Security of HCTR
We prove that HCTR is a sprp. A concrete security bound for HCTR is given
in theorem 1. Lemma 1 shows that the random tweakable permutation and its
inverse are indistinguishable from oracles that return random bits. This lemma
greatly facilitates the proof procedure of lemma 2 which shows the security of
HCTR when EKis replaced by a random permutation.
Lemma 1 (lemma 6 in [8]). Let πR
←− PermT(M). Then for any adversary
Athat makes qqueries,
Pr[Aπ(·,·),π−1(·,·)⇒1] −Pr[A$(·,·),$(·,·)⇒1] ≤q2/2N+1
where $(T,M)returns |M|random bits and Nis the bit-length of a shortest
string in M.
Let HCTR[Perm(n),H] be a variant of HCTR that uses a random permuta-
tion on nbits instead of EK. Specifically, the key generation algorithm returns a
random permutation πR
←− Perm(n) and a random string hR
←−{0,1}n.Wefirst
give a concrete security bound for HCTR[Perm(n),H].
Lemma 2. Let E= HCTR[Perm(n),H]. Then for any adversary Athat asks
enciphering/deciphering queries totalling σblocks,
Pr[AE(·,·),E−1(·,·)⇒1] −Pr[A$(·,·),$(·,·)⇒1] ≤((2 + t0)σ2+σ3)/2n
where $(T,M)returns |M|random bits and t0=|T|n.
A proof is given in Appendix B.
We now present our result for HCTR[E, H]. Our theorem shows that if Eis
sprp, then HCTR[E, H]isa sprp. More specifically, our theorem states that if
there is an adversary Aattacking the strong pseudorandomness of HCTR[E, H]
asking at most σblocks queries, then there is an adversary Battacking the
strong pseudorandomness of E, such that Advsprp
E(B)≥Advsprp
HCTR[E,H](A)−
q2/2n+1 −((2 + t0)σ2+σ3)/2n.SowhenAdvsprp
E(B)issmallforanyBwith
reasonable resources, Advsprp
HCTR[E,H](A) must be small. This means that the
strong security of Eimplies the strong security of HCTR[E,H]. The theorem
for HCTR[E,H] is given bellow.
Theorem 1. For any adversary Athat makes qqueries totalling σplaintext/-
ciphertext blocks, there is an adversary Bthat makes σqueries, such that
Advsprp
HCTR[E,H](A)≤Advsprp
E(B)+q2/2n+1 + ((2 + t0)σ2+σ3)/2n
where t0=|T|n.Furthermore,Bruns in approximately the same time as A.
HCTR: A Variable-Input-Length Enciphering Mode 183
Proof (of theorem 1). Let E1= HCTR[E,H]andE2= HCTR[Perm(n),H].
πR
←− PermT(n)whereT={0,1}t. Consider following probabilities:
p1=Pr[AE1,E−1
1⇒1] −Pr[AE2,E−1
2⇒1],
p2=Pr[AE2,E−1
2⇒1] −Pr[A$,$⇒1],
p3=Pr[A$,$⇒1] −Pr[Aπ,π−1⇒1].
Adversary Bsimulates Aand returns whatever Areturns. Then p1=
Advsprp
E(B). By lemma 1, we have p3≤q2/2n+1. By lemma 2, we have
p2≤((2 + t0)σ2+σ3)/2n.
Acknowledgment
We thank the anonymous referees for their many helpful comments. This re-
search is supported by the National Natural Science Foundation Of China (No.
60273027, 60373047, 60025205); the National Grand Fundamental Research 973
Program of China(No. G1999035802, 2004CB318004).
References
1. M. Bellare and P. Rogaway. On the construction of variable-input-length ciphers.
In L. Knudsen, editor, Fast Software Encryption 1999, volume 1636 of LNCS, pages
231–244. Springer-Verlag, 1999.
2. M. Bellare and P. Rogaway. The game-playing technique. Cryptology ePrint
Archive, Report 2004/331, 2004. http://eprint.iacr.org/ .
3. J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable
message authentication. In L. R. Knudsen, editor, Advances in Cryptology – EU-
ROCRYPT 2002, volume 2332 of LNCS, pages 384–397. Springer-Verlag, 2002.
4. J. L. Carter and M. N. Wegman. Universal classes of hash functions. Journal of
Computer and System Sciences, 18(2):143–154, 1979.
5. P. Crowley. Mercy: A fast large block cipher for disk sector encryption. In
B. Schneier, editor, Fast Software Encryption 2000, volume 1978 of LNCS, pages
49–63. Springer-Verlag, 2001.
6. FIPS-197. Federal information processing standards publication (FIPS
197). Advanced Encryption Standard (AES), 2001. http://csrc.nist.
gov/publications/fips/fips197/fips-197.pdf.
7. S. R. Fluhrer. Cryptanalysis of the Mercy block cipher. In M. Matsui, editor, Fast
Software Encryption 2001, volume 2355 of LNCS, pages 28–36. Springer-Verlag,
2002.
8. S. Halevi and P. Rogaway. A tweakable enciphering mode. In D. Boneh, editor,
Advances in Cryptology – CRYPTO 2003, volume 2729 of LNCS, pages 482–499.
Springer-Verlag, 2003.
9. S. Halevi and P. Rogaway. A parallelizable enciphering mode. In T. Okamoto,
editor, The Cryptographers’ Track at RSA Conference – CT-RSA 2004,volume
2964 of LNCS. Springer-Verlag, 2004.
184 P. Wang, D. Feng, and W. Wu
10. J. Kilian and P. Rogaway. How to protect DES against exhaustive key search.
In N. Koblitz, editor, Advances in Cryptology – CRYPTO 1996, volume 1109 of
LNCS, pages 252–267. Springer-Verlag, 1996.
11. M. Liskov, R. L. Rivest, and D. Wagner. Tweakable block ciphers. In M. Yung,
editor, Advances in Cryptology – CRYPTO 2002, volume 2442 of LNCS, pages
31–46. Springer-Verlag, 2002.
12. M. Luby and C. Rackoff. How to construct pseudorandom permutations from
pseudorandom functions. SIAM Journal on Computing, 17(2):373–386, 1988. Spe-
cial issue on cryptography.
13. D. A. McGrew and S. R. Fluhrer. The extended codebook (XCB) mode
of operation. Cryptology ePrint Archive, Report 2004/278, 2004. http://
eprint.iacr.org/.
14. D. A. McGrew and J. Viega. The security and performance of the galois/counter
mode (GCM) of operation. In A. Canteaut and K. Viswanathan, editors, Ad-
vances in Cryptology – INDOCRYPT 2004, volume 3348 of LNCS, pages 343–355.
Springer-Verlag, 2002.
15. D. A. McGrew and J. Viega. The ABL mode of operation, 2004. http://grouper.
ieee.org/groups/1619/email/pdf00004.pdf.
16. D. A. McGrew and J. Viega. The galois/counter mode of operation (GCM), 2004.
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes .
17. M. Naor and O. Reingold. A pseudo-random encryption mode. http://wisdom.
weizmann.ac.il/ naor/.
18. M. Naor and O. Reingold. On the construction of pseudo-random permutations:
Luby-rackoff revisited. In Proceedings of the 29th Annual ACM Symposium on the
Theory of Computing (STOC ’97), pages 189–199, New York, 1997. Association
for Computing Machinery.
19. P1619. IEEE Security in Storage Working Group. http://www.siswg.org/.
20. S. Patel, Z. Ramzan, and G. S. Sundaram. Towards making Luby-Rackoff ciphers
optimal and practical. In L. Knudsen, editor, Fast software encryption 1999,vol-
ume 1636 of LNCS, pages 171–185. Springer-Verlag, 1999.
21. S. Patel, Z. Ramzan, and G. S. Sundaram. Efficient constructions of variable-input-
length block ciphers. In H. Handschuh and M. A. Hasan, editors, Selected Areas in
Cryptography 2004, volume 3357 of LNCS, pages 326–340. Springer-Verlag, 2005.
22. P. Rogaway. Efficient instantiations of tweakable blockciphers and refinements to
modes OCB and PMAC. In P. J. Lee, editor, Advances in Cryptology – ASI-
ACRYPT 2004, volume 3329 of LNCS, pages 16–31. Springer-Verlag, 2004.
23. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: a block-cipher mode of
operation for efficient authenticated encryptiona. In Proceedings of the 8th ACM
Conference on Computer and Communications Security, pages 196–205, 2001.
24. R. Schroeppel. The hasty pudding cipher. http://www.cs.arizona.edu/rcs/
hpc/.
25. V. Shoup. On fast and provably secure message authentication based on universal
hashing. In N. Koblitz, editor, Advances in Cryptology – CRYPTO 1996,volume
1109 of LNCS, pages 313–328. Springer-Verlag, 1996.
26. V. Shoup. Sequences of games: a tool for taming complexity in security proofs.
Cryptology ePrint Archive, Report 2004/332, 2004. http://eprint.iacr.org/.
27. SP-800-38A. Recommendation for block cipher modes of operation - methods
and techniques. NIST Special Publication 800-38A, 2001. http://csrc.nist.gov/
publications/nistpubs/800-38a/sp800-38a.pdf.
HCTR: A Variable-Input-Length Enciphering Mode 185
A Intellectual Property Statement
The authors explicitly release any intellectual property rights to the HCTR mode
into the public domain. Further, the authors are not aware of any patent or
patent application anywhere in the world that cover this mode.
B Proof of Lemma 2
Proof (of lemma 2). Suppose Amakes qqueries. Assume that the rth query is
(Tr,Ur,Vr), where Tris the tweak, (Ur,Vr) is the plaintext(ciphertext). Sup-
pose that mr=|(Ur,Vr)|n.σ=m1+···+mqis the total plaintext/ciphertext
block number. Furthermore, we split Vrinto blocks: Vr=Vr
1,···,Vr
mr−1.We
describe the attacking procedure of Aas the interaction with games.
Game 1 and Game 2. The following Game 1 illustrates how HCTR[Perm(n),H]
and its inverse answer A’s queries:
D←R←φ;bad ←false
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXrR
←−{0,1}n
if UUr∈Dthen bad ←true XXr←π(UUr)
if XXr∈Rthen bad ←true XXrR
←− ¯
R
D←D∪{UUr}
R←R∪{XXr}
Sr←UUr⊕XXr
for i←1to mr−1do
YYr
i
R
←−{0,1}n
if Sr⊕i∈Dthen bad ←true YYr
i←π(Sr⊕i)
if YYr
i∈Rthen bad ←true YYr
i
R
←− ¯
R
D←D∪{Sr⊕i}
R←R∪{YYr
i}
YYr←YYr
1||···||YYr
mr−1
Dr←Vr⊕← YYr
Cr←XXr⊕Hh(Dr||Tr)
return (Cr,D
r)
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXrR
←−{0,1}n
if UUr∈Rthen bad ←true XXr←π−1(UUr)
if XXr∈Dthen bad ←true XXrR
←− ¯
D
D←D∪{XXr}
R←R∪{UUr}
186 P. Wang, D. Feng, and W. Wu
Sr←UUr⊕XXr
for i←1to mr−1do
YYr
i
R
←−{0,1}n
if Sr⊕i∈Dthen bad ←true YYr
i←π(Sr⊕i)
if YYr
i∈Rthen bad ←true YYr
i
R
←− ¯
R
D←D∪{Sr⊕i}
R←R∪{YYr
i}
YYr←YYr
1||···||YYr
mr−1
Nr←Vr⊕← YYr
Mr←XXr⊕Hh(Nr||Tr)
return (Mr,Nr)
Notice that the permutation πis not chosen before the attack, but “on the fly”
as needed to answer the queries during the attacking procedure. The sets D
and R, which are multisets in which the element may repeat, keep track of the
domain and the range of πrespectively. Game 2 is obtained by omitting the
boxed statements. Because XXr,XYr(r=1,···,q) are independent random
strings, the answers Aget, when interacts with Game 2, are also independent
random strings. So AGame 2 is the same as A$,$. In Game 1, each boxed statement
is executed if and only if the flag bad is set to be true. Therefor we have
Pr[AE,E−1⇒1] −Pr[A$,$⇒1]
=Pr[AGame 1 ⇒1] −Pr[AGame 2 ⇒1] ≤Pr[AGame 2 set bad].(1)
Game 3. We make some modifications to Game 2. The answer of each query
is directly chosen as random string and the state of bad issetattheendofall
queries. Game 3 is the following:
Initialization :
D←R←φ
On the rth query (Tr,Ur,Vr):
(Xr,Yr)R
←−{0,1}mr·n
return (Xr,Yr)[1,|(Ur,Vr)|]
Finalization :
for r←1to qdo:
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXr←Xr⊕Hh(Yr[1,|Vr|]|| Tr)
D←D∪{UUr}
R←R∪{XXr}
Sr←UUr⊕XXr
for i←1to mr−1do
D←D∪{Sr⊕i}
R←R∪{Yr
i⊕← Vr
i}
HCTR: A Variable-Input-Length Enciphering Mode 187
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXr←Xr⊕Hh(Yr[1,|Vr|]|| Tr)
D←D∪{XXr}
R←R∪{UUr}
Sr←UUr⊕XXr
for i←1to mr−1do
D←D∪{Sr⊕i}
R←R∪{Yr
i⊕← Vr
i}
bad ←(there is a repetition in D)or (there is a repetition in R)
We have Pr[AGame 2 set bad]=Pr[AGame 3 set bad].(2)
Without lost of generality, suppose that Ais a deterministic algorithm. We
want to prove that for any fixed Xr,Yr(r=1,···,q), the above probability is
negligible. But that is not true. For example when Y1
1⊕← V1
1=Y2
1⊕← V2
1,the
bad is set to be true. We firstly make some restrictions on the choices of these
random strings.
Restrictions on the choices of (Xr,Yr):
1. Xr,Yr
iare all distinct.
2. Xr=Ur⊕Xs⊕Us⊕i⊕jfor all s<r,1≤i≤(mr−1), 1 ≤j≤(ms−1).
3. Xr=Usfor all s<r.
4. Yr
i=Ys
j⊕← Vs
j⊕← Vr
i, for all s<rand for all s=r, j < i.
It is easy to calculate that each restriction in the above decreases the choices
of (Xr,Yr)atmostσ2/2n+1. Totally, the choices of (Xr,Yr) are decreased at
most 2σ2/2n.
Game 4. With these restrictions, we fix queries and answers. Suppose that
{Tr,Ur,Vr,Xr,Yr|r=1,···,q}make the probability of setting bad maximum.
Now consider the following non-interactive and non-adaptive Game 4:
for r←1to qdo:
If the rth query (Tr,Ur,Vr) is an enciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXr←Xr⊕Hh(Yr[1,|Vr|]|| Tr)
D←D∪{UUr}
R←R∪{XXr}
Sr←UUr⊕XXr
for i←1to mr−1do
D←D∪{Sr⊕i}
R←R∪{Yr
i⊕← Vr
i}
If the rth query (Tr,Ur,Vr) is an deciphering query:
UUr←Ur⊕Hh(Vr||Tr)
XXr←Xr⊕Hh(Yr[1,|Vr|]|| Tr)
D←D∪{XXr}
R←R∪{UUr}
188 P. Wang, D. Feng, and W. Wu
Sr←UUr⊕XXr
for i←1to mr−1do
D←D∪{Sr⊕i}
R←R∪{Yr
i⊕← Vr
i}
bad ←(there is a repetition in D)or (there is a repetition in R)
From the above discussion, we have that
Pr[AGame 3 set bad]≤Pr[Game 4 set bad]+2σ2/2n.(3)
Let I={1,···,q},I=I1∪I2,whereI1={s∈I|(Ts,Us,Vs)isan
enciphering query}and I2={t∈I|(Tt,Ut,Vt) is a deciphering query}.Let
l=max{m1,···,m
q}.WecanseethatD=D1∪D
2∪D
3,whereD1=
{UUs|s∈I1},D2={XXt|t∈I2},andD3={Sr⊕i|r∈I,1≤i≤(mr−1)}.
R=R1∪R
2∪R
3,whereR1={XXs|s∈I1},R2={UUt|t∈I2},and
R3={Yr
i⊕← Vr
i|r∈I,1≤i≤(mr−1)}.
Any element in Dor Ris a polynomial in hwhose degree is at most (l+t0). We
want to prove that for any X1,X
2∈Dor X1,X
2∈R, the repetition probability
Pr[X1=X2]≤(l+t0)/2n. Because the polynomial of degree (l+t0) has at most
(l+t0) roots in finite field, we only need to prove that X1⊕X2is a nonzero
polynomial in h.
We consider following situations:
–X1,X
2∈D
1.(Ts,Us,Vs), s∈I1are all distinct, because Anever ask trivial
query. By property 1 of H,X1⊕X2is a nonzero polynomial.
–X1,X
2∈D
2. By restriction 1, the constant term of X1⊕X2is nonzero.
–X1,X
2∈D
3. By restriction 2, the constant term of X1⊕X2is nonzero.
–X1∈D
1and X2∈D
2. Suppose X1=UUsand X2=XXt.Ifs<t,then
by restriction 3, the constant term of X1⊕X2is nonzero. If s>t,then
(Ts,Us,Vs)=(Tt,Xt,Y t[1,|Vt|]), because Anever make trivial query. By
property 1 of H,X1⊕X2is a nonzero polynomial.
–X1∈D
2and X2∈D
3. By property 2 of H,X1⊕X2is a nonzero polynomial.
–X1∈D
1and X2∈D
3. The same reason as the above.
–X1,X
2∈R
1. By restriction 1, the constant term of X1⊕X2is nonzero.
–X1,X
2∈R
2.(Tt,Ut,Vt), s∈I2are all distinct, because Anever make
trivial query. By property 1 of H,X1⊕X2is a nonzero polynomial.
–X1,X
2∈R
3. By restriction 4, X1⊕X2is a nonzero constant.
–X1∈R
1and X2∈R
2. Suppose X1=XXsand X2=UUt.Ifs>t,then
by restriction 3, the constant term of X1⊕X2is nonzero. If s<t,then
(Tt,Ut,Vt)=(Ts,Xs,Ys[1,|Vs|]), because Anever make trivial query. By
property 1 of H,X1⊕X2is a nonzero polynomial.
–X1∈R
2and X2∈R
3. By property 2 of H,X1⊕X2is a nonzero polynomial.
–X1∈R
1and X2∈R
3. The same reason as the above.
There are totally σ(σ−1)/2 pairs of elements in Dand σ(σ−1)/2 pairs of
elements in R. So the probability of repetition in Dor Ris at most (l+t0)σ2/2n.
Pr[Game 4 set bad]≤(l+t0)σ2/2n≤(t0σ2+σ3)/2n.(4)
Combine (1), (2), (3) and (4), we complete the proof.