]>
Hash-Encrypt-Hash, a block cipher mode of operationGoogle747 6th St SKirklandWA98033USAalexcope@google.com
General
Crypto Forum Research GroupHEH This memo describes a block cipher mode of operation known as Hash-Encrypt-Hash (HEH).This memo describes the implementation of the Hash Encrypt Hash (HEH) block cipher mode of operation as both an encryption algorithm and an AEAD. The primary benefit of HEH is that it extends the strong pseudorandom permutation property of block ciphers to arbitrary-length messages. This means that if any bit of the plaintext is flipped, each bit in the ciphertext will flip with 50% probability. No block cipher mode of operation that is currently in widespread use has this property. Additionally, HEH is more resistant to misuse than commonly-used block cipher modes of operation. For example, if nonces are reused, CTR fails catastrophically, and CBC will leak common prefixes of the underlying block size. HEH has neither of those problems.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.ecb_key - key for the underlying ecb block cipher calls, generated by generate_keys.block - 16 bytes.buffer[i] - block i of buffer. Defined for 0 <= i < N.buffer[N+] - bytes 16 * N until the end of buffer. The unpadded partial block.EMPTY - buffer of length 0.GF(2^128) - The Galois field of 2^128 elements, as defined in section 4.1.msg - shorthand for message, a buffer that is an input to a function.N - FLOOR(msg_length / 16), number of full blocks of msg.out_msg - buffer that is a transformation of msg. out_msg_length = msg_length unless otherwise explicitly specified.prf_key - pseudo-random function key. The key passed as input to HEH.tau_key - 16 byte key used to compute the hash, generated by generate_keys.XOR - bitwise exclusive-or.XXXX_length - length of XXXX in bytes.* - Multiplication in GF(2^128) as defined in section 4.2.+ - Addition in GF(2^128) as defined in section 4.3.0^i - buffer of i zero bytes.|| - concatenation.The HEH key is a single key of the same length as the underlying block cipher key. HEH uses CMAC to derive subkeys from the HEH key.HEH MUST use a block cipher with a block size of 128-bits.HEH SHOULD support a 16-byte nonce. Support for other nonce lengths between 0 and 2^32-1 (inclusive) bytes is OPTIONAL. Support for additional authenticated data (AAD) and support for varying AAD lengths between 0 and 2^32-1 (inclusive) bytes is OPTIONAL. Security implications are discussed in section 7.1GF(2^128) is the Galois field of 2^128 elements defined by the irreducible polynomial x^128 + x^7 + x^2 + x + 1.Elements in the field are converted to and from 128-bit strings by taking the least-significant bit of the first byte to be the coefficient of x^0, the most-significant bit of the first byte to the the coefficient of x^7, and so on, until the most-significant bit of the last byte is the coefficient of x^127 [AES-GCM-SIV].Multiplication is defined on 128-bit blocks by converting them to polynomials as described above, and then computing the resulting product modulo x^128 + x^7 + x^2 + x + 1.For any two 128-bit elements X, Y in the Galois field, X + Y is defined as X XOR Y. The operations + and XOR are interchangeable within this document. For consistency we use + on 128-bit strings and XOR if the arguments are not 128-bits long.When appropriate, we will explain the output as both a mathematical formula and in pseudo-code. This information is redundant, and it exists to provide additional clarity. Implementations need not implement the exact algorithm specified by the pseudocode, so long as the output matches what the pseudocode would produce.ecb_key and tau_key are generated from prf_key by taking the CMAC as defined in [CMAC] of fixed one-block messages. The input to the CMAC used to generate ecb and tau key will never collide with the input used to generate any beta_key, because when generating a beta_key, the last 4 bytes of the input are always zero. To generate the beta_keys needed by HEH_hash, we take the CMAC as defined in [CMAC] of the nonce, AAD, nonce_length, AAD_length and plaintext_length. We use CMAC because it is a pseudorandom function on variable length inputs.Where pad_16(X) = X right-padded with 0s up to a multiple of 16 bytes. If X is already a multiple of 16 bytes (including if X is 0 bytes), this is a no-op.The following MUST be true in order to generate conformant ciphertext:
nonce_length, AAD_length, and plaintext_length MUST be 4 bytes long.nonce_length, AAD_length, and plaintext_length MUST be stored in little-endian format.The input to CMAC MUST be right-padded with 0x00 bytes up to a multiple of 16 bytes.CMAC MUST use the same block cipher that is used in CTS_2ECB_encrypt.CMAC MUST be implemented as described in [CMAC]. In particular, if CMAC is being reimplemented for HEH, be advised that there is a multiply-by-x substep of CMAC that uses a different finite field representation than the one described in section 4.Poly_hash treats each block of msg as a coefficient to a polynomial in GF(2^128), and evaluates that polynomial at tau_key to create a hash. Poly_hash is called as a subroutine of HEH_hash so that any minor change to msg will result in every block being changed in HEH_hash with high probability. Note that the coefficients of m_{N-1} and m_N are flipped if there is a partial block. This is done to simplify the implementation of HEH_hash_inv.HEH_hash is the hash step in Hash-Encrypt-Hash. It is an invertible hash function used to ensure any change to msg will result in every full block being modified with high probability.Inverse of HEH_hashThe encryption step of Hash-Encrypt-Hash. CTS_2ECB_encrypt uses a modification of CTS-ECB. Because HEH_hash is the identity function on partial blocks, we encrypt the partial block by xoring it with a pad created by encrypting the last full block of plaintext XOR the last full block ciphertextInverse of CTS_2ECB_encrypt. CTS_2ECB_decrypt is identical to CTS_2ECB_encrypt except the initial block_cipher_encrypt calls are now block_cipher_decrypt callsCore encryption function of HEH.Core decryption function of HEH.Because HEH is a strong pseudorandom permutation, it can also provide authentication with minimal modification. Support for authentication is OPTIONAL. To provide authentication, append 16 zero bytes to the end of the plaintext, then encrypt. When decrypting, we can determine authenticity of the message by verifying that the final 16 bytes of the plaintext are the expected zero bytes.The authenticated encryption function of HEH. HEH_AEAD_encrypt returns ciphertext which is 16 bytes longer than plaintext msg.The authenticated decryption function of HEH. HEH_AEAD_decrypt returns either plaintext which is 16 bytes shorter than msg or indication of inauthenticity FAIL.The minimum length of the plaintext for HEH is 16 bytes. The maximum length is 2^32 - 1 bytes. When using HEH as an AEAD, this minimum and maximum apply to padded_msg. If no nonce is used (or, equivalently, if a 'nonce' is re-used for multiple messages) then HEH is a strong pseudorandom permutation. Of course, if the same plaintext, nonce, and key are used together more than once, the ciphertext will collide. If a unique nonce is used for each plaintext and key combination, then HEH is semantically secure. We make no claim that using randomly-generated nonces or using longer nonces generates additional security. As HEH is a strong pseudorandom permutation, [AUTH] shows that authentication can be provided by appending a known authentication code to the plaintext and then encrypting.
&RFC2119;
NIST Special Publication 800-38BNational Institute of Standards and TechnologyEfficient Tweakable Enciphering Schemes from (Block-Wise) Universal Hash FunctionsAES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. draft-gueron-gcmsiv-03Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard
National Institute of Standards and TechnologyAES-128 was used as the block cipher for all of the test vectors.