The security of the cipher block chaining message authentication code
Journal of Computer and System Sciences
Discrete Mathematics
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Two Practical and Provably Secure Block Ciphers: BEARS and LION
Proceedings of the Third International Workshop on Fast Software Encryption
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
Invertible universal hashing and the TET encryption mode
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
HCH: a new tweakable enciphering scheme using the hash-encrypt-hash approach
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
HCTR: a variable-input-length enciphering mode
CISC'05 Proceedings of the First SKLOIS conference on Information Security and Cryptology
A new mode of encryption providing a tweakable strong pseudo-random permutation
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
EME*: extending EME to handle arbitrary-length messages with associated data
INDOCRYPT'04 Proceedings of the 5th international conference on Cryptology in India
On Some Weaknesses in the Disk Encryption Schemes EME and EME2
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Length-doubling ciphers and tweakable ciphers
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Hi-index | 0.00 |
The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCB's internal universal hash function to simplify the proof, and it defines a nonce mode inwhich XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design re-use and admits multi-purpose implementations.