On Wed, Apr 27, 2022 at 12:37:59AM +0000, Nathan Huckleberry wrote: > HCTR2 is a tweakable, length-preserving encryption mode that is intended > for use on CPUs with dedicated crypto instructions. HCTR2 has the > property that a bitflip in the plaintext changes the entire ciphertext. > This property fixes a known weakness with filename encryption: when two > filenames in the same directory share a prefix of >= 16 bytes, with > AES-CTS-CBC their encrypted filenames share a common substring, leaking > information. HCTR2 does not have this problem. > > More information on HCTR2 can be found here: "Length-preserving > encryption with HCTR2": https://eprint.iacr.org/2021/1441.pdf > > Signed-off-by: Nathan Huckleberry <nhuck@xxxxxxxxxx> > Reviewed-by: Ard Biesheuvel <ardb@xxxxxxxxxx> Acked-by: Eric Biggers <ebiggers@xxxxxxxxxx> - Eric
