Skip to main content

Module hctr2pp

Module hctr2pp 

Source
Expand description

HCTR2++ (HCTR++) beyond-birthday-bound secure variant of HCTR2.

HCTR2++ is the construction from “HCTR++: A Beyond Birthday Bound Secure HCTR2 Variant” by Ozturk, Kocak and Yayla. It keeps the Hash-Encrypt-Hash structure of HCTR2 but replaces every static block cipher call with Mennink’s R3 fresh re-keying scheme and widens the universal hash function from n bits to 2n bits. The result is O(2^n) SPRP security with unique tweaks, degrading gracefully with tweak reuse, while still being built from a plain block cipher (AES).

Construction (Figure 4 of the paper):

  • Subkeys h1, h2 (2n-bit hash keys) and K (2n-bit re-keying key) are derived from the master key as E_K(bin(1))||E_K(bin(2)), E_K(bin(3))||E_K(bin(4)) and E_K(bin(5))||E_K(bin(6))
  • The first block is masked with the top half of a 2n-bit hash of the bulk and the tweak, then encrypted under an R3-derived ephemeral key; the bottom half of the hash seeds the re-keying nonce
  • The internal state r||J is the 2n-bit hash of CC and the tweak under h1 XOR h2
  • CTR++ generates the keystream with a fresh R3-derived key per block
  • The first output block goes through an inverse block cipher call so that the ciphertext depends on the complete hash digest, and encryption and decryption share the same code path with h1 and h2 swapped

The 2n-bit hash is instantiated as a POLYVAL-style polynomial evaluation over GF(2^256). Blocks are 32 bytes interpreted as little-endian polynomials, and the field is defined by the irreducible pentanomial x^256 + x^10 + x^5 + x^2 + 1. The input encoding mirrors the HCTR2 hash: a length block encoding 2*|T| + 2 (or + 3 when the message is not block-aligned), the zero-padded tweak, then the message padded with a single 1 bit and zeros.

Security properties:

  • Beyond-birthday-bound SPRP security, approaching O(2^n) with unique tweaks
  • Security degrades with the number of queries sharing the same tweak
  • Ciphertext length equals plaintext length (no expansion)
  • No authentication - consider AEAD if integrity protection is needed
  • Minimum message length: 16 bytes (one AES block)

The re-keying makes this mode noticeably slower than HCTR2: every message block costs one AES key schedule, one AES call and two GF(2^256) multiplications.

Structs§

Hctr2pp
Generic HCTR2++ cipher parameterized by the master AES key size.

Constants§

HASH_BLOCK_LENGTH
Hash block length in bytes (2n bits with n = 128).

Type Aliases§

Hctr2pp_128
HCTR2++ with an AES-128 master key.
Hctr2pp_256
HCTR2++ with an AES-256 master key.