Expand description
CHCTR2 (Cascaded HCTR2) beyond-birthday-bound secure wide-block tweakable cipher.
CHCTR2 achieves 2n/3-bit multi-user security (approximately 85 bits with 128-bit blocks) by cascading HCTR2 twice with two independent keys. This provides significantly higher security than standard HCTR2’s birthday-bound (64-bit) security.
Construction (from “Beyond-Birthday-Bound Security with HCTR2”, ASIACRYPT 2025):
- Uses two independent keys K1 and K2
- CHCTR2K1,K2 = HCTR2[K2](T, HCTR2[K1](T, M))
- Optimized: middle hash layer combines H1 and H2: Z_{1,2} = H1(T,R) XOR H2(T,R)
- Cost per block: 2 BC calls + 3 field multiplications
Security properties:
- Beyond-birthday-bound: ~85-bit security vs HCTR2’s ~64-bit
- No restrictions on tweak usage
- Multi-user secure
- Ciphertext length equals plaintext length
Structs§
- Chctr2
- Generic CHCTR2 cipher parameterized by AES key size.
Type Aliases§
- Chctr2
Error Deprecated - Chctr2_
128 - CHCTR2 with AES-128 encryption (uses two AES-128 keys = 32 bytes total).
- Chctr2_
256 - CHCTR2 with AES-256 encryption (uses two AES-256 keys = 64 bytes total).