Cryptology ePrint Archive: Report 2008/090

Improving upon HCTR and matching attacks for Hash-Counter-Hash approach

Mridul Nandi

Abstract: McGrew and Fluhrer first proposed hash-counter-hash approach to encrypt arbitrary length messages. By its nature, counter can handle incomplete message blocks as well as complete message blocks in the same manner. HCTR is the till date best (in terms of efficiency) strong pseudo random permutation or SPRP among all known counter based SPRPs. But as of now, a cubic bound for HCTR is known. Moreover, all invocations of underlying block ciphers can not be made in parallel. Our new proposal (we call it HMC or Hash Modified Counter) provides a quadratic security bound and all block cipher invocations are parallel in nature even if we have an incomplete message block. We also present a prp-distinguishing attack on a generic counter based encryption, which makes $q$ non-adaptive encryption queries consisting of $(\ell+1)$ $n$-bit blocks and has success probability roughly $\ell^2q^2/2^n$. Loosely speaking, the success probability matches with the upper bound of distinguishing probability. As a result, we prove that the known quadratic bounds for XCB, HCH and HMC are tight.

Category / Keywords: secret-key cryptography /

Date: received 28 Feb 2008

Contact author: mridul nandi at gmail com

Available formats: PDF | BibTeX Citation

Version: 20080228:193626 (All versions of this report)

Discussion forum: Show discussion | Start new discussion