HCTR+: An Optimally Secure TBC-Based Accordion Mode

The design of tweakable wide-block ciphers has advanced significantly over the past two decades. This evolution began with the wide-block cipher by Naor and Reingold. Since then, numerous constructions have been proposed, many of which are built on existing block ciphers and are secure up to the birthday bound for the total number of blocks queried. Although there has been a recent slowdown in the development of such ciphers, the latest NIST proposal for Accordion modes has reignited the interest and momentum in the design and analysis of these ciphers. Although new designs have emerged, their security often falls short of optimal (i.e., n-bit) security, where n is the output size of the primitive. In this direction, designing an efficient tweakable wide-block cipher with n-bit security seems to be an interesting research problem to the symmetric key research community. An optimally secure tweakable wide-block cipher mode can easily be turned into a misuse-resistant RUP secure authenticated encryption scheme with optimal security. This paper proposes HCTR+, which turns an n-bit tweakable block cipher (TBC) with n-bit tweak into a variable input length tweakable wide block cipher. Unlike tweakable HCTR, HCTR+ ensures n-bit security regardless of tweak repetitions. We also propose two TBC-based almost-xor-universal hash functions, named PHASH+ and ZHASH+, and use them as the underlying hash functions in the HCTR+ construction to create two TBC-based n-bit secure tweakable wide block cipher modes, PHCTR+ and ZHCTR+. Experimental results show that both PHCTR+ and ZHCTR+ exhibit excellent software performance when their underlying TBC is instantiated with Deoxys-BC-256.