On Some Weaknesses in the Disk Encryption Schemes EME and EME2
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Automated security proof for symmetric encryption modes
ASIAN'09 Proceedings of the 13th Asian conference on Advances in Computer Science: information Security and Privacy
Double ciphertext mode: a proposal for secure backup
International Journal of Applied Cryptography
Double ciphertext mode: a proposal for secure backup
International Journal of Applied Cryptography
Automated verification of block cipher modes of operation, an improved method
FPS'11 Proceedings of the 4th Canada-France MITACS conference on Foundations and Practice of Security
Tweakable enciphering schemes using only the encryption function of a block cipher
Information Processing Letters
| Hi-index | 754.84 |
The notion of tweakable block ciphers was formally introduced by Liskov-Rivest-Wagner at Crypto 2002 (the 2002 Annual International Cryptology Conference). The extension and the first construction, called CMC, of this notion to tweakable enciphering schemes which can handle variable length messages was given by Halevi-Rogaway at Crypto 2003. In this paper, we present HCH, which is a new construction of such a scheme. The construction uses two universal hash computations with a counter mode of encryption in-between. This approach was first proposed by McGrew-Viega to build a scheme called XCB and later used by Wang-Feng-Wu, to obtain a scheme called HCTR. A unique feature of HCH compared to all known tweakable enciphering schemes is that HCH uses a single key, can handle arbitrary length messages, and has a quadratic security bound. An important application of a tweakable enciphering scheme is disk encryption. HCH is well suited for this application. We also describe a variant, which can utilize precomputation and makes one less block cipher call. This compares favorably to other hash-encrypt-hash-type constructions, supports better key agility and requires less key material.