Expand description
HCTR3 (Hash-CTR-Hash version 3) length-preserving wide-block tweakable cipher.
HCTR3 is an improved version of HCTR2 with enhanced security properties. Like HCTR2, it requires no nonce or authentication tag.
Construction differences from HCTR2:
- Two-key construction (encryption key + derived authentication key)
- SHA-256 hashing of tweaks for domain separation
- ELK mode (Encrypted LFSR Keystream) instead of XCTR
- Constant-time LFSR implementation
Security properties:
- Ciphertext length equals plaintext length (no expansion)
- Stronger security bounds than HCTR2
- Requires unique (key, tweak) pairs for security
- No authentication - consider AEAD if integrity protection is needed
- Minimum message length: 16 bytes (one AES block)
Structs§
- Hctr3
- Generic HCTR3 cipher parameterized by AES key size.
Type Aliases§
- Hctr3
Error Deprecated - Hctr3_
128 - HCTR3 with AES-128 encryption and SHA-256 tweak hashing.
- Hctr3_
256 - HCTR3 with AES-256 encryption and SHA-256 tweak hashing.