## CryptoDB

### Debrup Chakraborty

#### Publications

**Year**

**Venue**

**Title**

2017

TOSC

A Fast Single-Key Two-Level Universal Hash Function
Abstract

Universal hash functions based on univariate polynomials are well known, e.g. Poly1305 and GHASH. Using Horner’s rule to evaluate such hash functionsrequire l − 1 field multiplications for hashing a message consisting of l blocks where each block is one field element. A faster method is based on the class of Bernstein-Rabin-Winograd (BRW) polynomials which require ⌊l/2⌋ multiplications and ⌊lgl⌋ squarings for l≥3 blocks. Though this is significantly smaller than Horner’s rule based hashing, implementation of BRW polynomials for variable length messages present significant difficulties. In this work, we propose a two-level hash function where BRW polynomial based hashing is done at the lower level and Horner’s rule based hashing is done at the higher level. The BRW polynomial based hashing is applied to a fixed number of blocks and hence the difficulties in handling variable length messages is avoided. Even though the hash function has two levels, we show that it is sufficient to use a single field element as the hash key. The basic idea is instantiated to propose two new hash functions, one which hashes a single binary string and the other can hash a vector of binary strings. We describe two actual implementations, one over F2128 and the other over F2256 both using the pclmulqdq instruction available in modern Intel processors. On both the Haswell and Skylake processors, the implementation over F2128 is faster than both an implementation of GHASH by Gueron; and a highly optimised implementation, also by Gueron, of another polynomial based hash function called POLYVAL. We further show that the Fast Fourier Transform based field multiplication over F2256 proposed by Bernstein and Chou can be used to evaluate the new hash function at a cost of about at most 46 bit operations per bit of digest, but, unlike the Bernstein-Chou analysis, there is no hidden cost of generating the hash key. More generally, the new idea of building a two-level hash function having a single field element as the hash key can be applied to other finite fields to build new hash functions.

2010

EPRINT

Double Ciphertext Mode : A Proposal for Secure Backup
Abstract

Security of data stored in bulk storage devices like the hard disk has gained a lot of importance in the current days.
Among the variety of paradigms which are available for disk encryption, low level disk encryption is well accepted because of
the high security guarantees it provides. In this paper we view the problem of disk encryption from a different direction.
We explore the possibility of how one can maintain secure backups of the data, such that loss of a physical device will
mean neither loss of the data nor the fact that the data gets revealed to the adversary. We propose an efficient solution to this problem
through a new cryptographic scheme which we call as the double ciphertext mode (DCM). In this paper we describe the syntax of DCM,
define security for it and give some efficient constructions. Moreover we argue regarding the
suitability of DCM for the secure backup application
and also explore other application areas where a DCM can be useful.

2007

EPRINT

HCH: A New Tweakable Enciphering Scheme Using the Hash-Counter-Hash Approach
Abstract

The notion of tweakable block ciphers was formally introduced by
Liskov-Rivest-Wagner at Crypto 2002. The extension and the first construction,
called CMC, of this notion to tweakable enciphering schemes which can handle
variable length messages was given by Halevi-Rogaway at Crypto 2003.
In this paper, we present {\hch}, which is a new construction of such a scheme.
The construction uses two universal hash computations with a counter mode
of encryption in-between. This approach was first proposed by McGrew-Viega
to build a scheme called XCB and later used by Wang-Feng-Wu, to obtain a
scheme called HCTR. Among the hash-Ctr-hash type constructions, an important
advantage of {\hch} compared to the others is that {\hch}
has a quadratic security bound; XCB does not provide any security bound
while HCTR has a cubic security bound. A unique feature of {\hch} compared
to all known tweakable enciphering schemes is that {\hch} uses a
single key, can handle
arbitrary length messages and has a quadratic security bound. An important
application of a tweakable enciphering scheme is disk encryption.
{\hch} is well suited for this application. We also describe a variant, which
can utilize pre-computation and makes one less block cipher call. This
compares favourably to other hash-encrypt-hash type constructions; supports
better key agility and requires less key material.

2007

EPRINT

A General Construction of Tweakable Block Ciphers and Different Modes of Operations
Abstract

This work builds on earlier work by Rogaway at Asiacrypt 2004 on
tweakable block cipher (TBC) and modes of operations. Our first
contribution is to generalize Rogaway's TBC construction by working
over a ring {\ring} and by the use of a masking sequence of
functions. The ring {\ring} can be instantiated as either $GF(2^n)$
or as $\bbbz_{2^n}$. Further, over $GF(2^n)$, efficient
instantiations of the masking sequence of functions can be done
using either a binary Linear Feedback Shift Register (LFSR); a powering
construction; a cellular automata map; or by using a word oriented LFSR.
Rogaway's TBC construction
was built from the powering construction over $GF(2^n)$. Our second
contribution is to use the general TBC construction to instantiate
constructions of various modes of operations including authenticated
encryption (AE) and message authentication code (MAC). In particular,
this gives rise to a family of efficient one-pass AE mode of operation.
Out of these, the mode of operation obtained by the use of word oriented
LFSR promises to provide a masking method which is more efficient than the
one used in the well known AE protocol called OCB.

2007

EPRINT

Reconfigurable Hardware Implementations of Tweakable Enciphering Schemes
Abstract

Tweakable enciphering schemes are length preserving block cipher
modes of operation that provide a strong pseudo-random permutation.
It has been suggested that these schemes can be used as the main
building blocks for achieving in-place disk encryption. In the past
few years there has been an intense research activity towards
constructing secure and efficient tweakable enciphering schemes.
But, actual experimental performance data of these newly proposed
schemes are yet to be reported. Accordingly, in this paper we
present optimized FPGA implementations of five tweakable enciphering
schemes, namely, HCH, HCTR, XCB, EME and TET, using a 128-bit AES
core as the underlying block cipher. We report performance timings
of these modes when using both, pipelined and sequential AES
structures. The universal polynomial hash function included in the
specification of HCH, HCHfp (a variant of HCH), HCTR, XCB and TET,
was implemented using a Karatsuba-Ofman multiplier as the main
building block. We provide detailed analyses of each of the schemes
and their experimental performances achieved in various scenarios.
Our experiments show that a sequential AES core is not an attractive
option for the design of these modes as it leads to rather poor
throughputs. In contrast, by using an encryption/decryption
pipelined AES core we get a throughput of 3.67 Gbps for HCTR and by
using a encryption only pipeline AES core we get a throughput of
5.71 Gbps for EME. The performance results reported in this paper
provide experimental evidence that hardware implementations of
tweakable enciphering schemes can actually match and even outperform
the data rates achieved by state-of-the-technology disk controllers,
thus showing that they might be used for achieving provably secure
in-place hard disk encryption.

2006

EPRINT

A New Mode of Encryption Secure Against Symmetric Nonce Respecting Adversaries
Abstract

We present MEM, which is a new mode of encryption using a block cipher. MEM is proved to be a strong pseudo-random permutation (SPRP) against {\em symmetric} nonce respecting adversaries, where a symmetric nonce respecting adversary is one which does not repeat nonces to either the encryption or the decryption oracle. Against such adversaries, MEM provides a secure, length preserving, tagless mode of encryption. In our construction, the number of block cipher calls is approximately half that of the earlier known more general constructions CMC, EME and EME$^*$ of tweakable SPRPs. In situations where the appropriate adversary can be assumed, and where a tagless mode of encryption is
required, our construction is the most efficient solution till date.

2006

EPRINT

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random
Abstract

We present PEP, which is a new construction of a tweakable strong pseudo-random permutation.
PEP uses a hash-encrypt-hash approach which has recently been used in the construction of HCTR.
This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC,
EME and EME$^*$. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to
provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen
as the development of the Naor-Reingold approach into a fully specified mode of operation
with a concrete security reduction for a tweakable strong pseudo-random permutation.
The security bound of HCTR which is also based on the Naor-Reingold approach is weaker than
that of PEP.
Compared to previous known constructions, PEP is the only construction of tweakable SPRP which
uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks.

#### Program Committees

- Asiacrypt 2014