On Tue, May 10, 2022 at 05:23:50PM +0000, Nathan Huckleberry wrote: > HCTR2 is a length-preserving encryption mode that is efficient on > processors with instructions to accelerate AES and carryless > multiplication, e.g. x86 processors with AES-NI and CLMUL, and ARM > processors with the ARMv8 Crypto Extensions. > > HCTR2 is specified in https://ia.cr/2021/1441 "Length-preserving encryption > with HCTR2" which shows that if AES is secure and HCTR2 is instantiated > with AES, then HCTR2 is secure. Reference code and test vectors are at > https://github.com/google/hctr2. > > As a length-preserving encryption mode, HCTR2 is suitable for applications > such as storage encryption where ciphertext expansion is not possible, and > thus authenticated encryption cannot be used. Currently, such applications > usually use XTS, or in some cases Adiantum. XTS has the disadvantage that > it is a narrow-block mode: a bitflip will only change 16 bytes in the > resulting ciphertext or plaintext. This reveals more information to an > attacker than necessary. > > HCTR2 is a wide-block mode, so it provides a stronger security property: a > bitflip will change the entire message. HCTR2 is somewhat similar to > Adiantum, which is also a wide-block mode. However, HCTR2 is designed to > take advantage of existing crypto instructions, while Adiantum targets > devices without such hardware support. Adiantum is also designed with > longer messages in mind, while HCTR2 is designed to be efficient even on > short messages. > > The first intended use of this mode in the kernel is for the encryption of > filenames, where for efficiency reasons encryption must be fully > deterministic (only one ciphertext for each plaintext) and the existing CBC > solution leaks more information than necessary for filenames with common > prefixes. > > HCTR2 uses two passes of an ε-almost-∆-universal hash function called > POLYVAL and one pass of a block cipher mode called XCTR. POLYVAL is a > polynomial hash designed for efficiency on modern processors and was > originally specified for use in AES-GCM-SIV (RFC 8452). XCTR mode is a > variant of CTR mode that is more efficient on little-endian machines. > > This patchset adds HCTR2 to Linux's crypto API, including generic > implementations of XCTR and POLYVAL, hardware accelerated implementations > of XCTR and POLYVAL for both x86-64 and ARM64, a templated implementation > of HCTR2, and an fscrypt policy for using HCTR2 for filename encryption. > Thanks, this series looks good now. I've also tested it on x86_64 and arm64. Herbert, I think this series is ready to be applied, when you're ready for it. - Eric