Misplaced Pages

HC-256

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.

HC-256 is a stream cipher designed to provide bulk encryption in software at high speeds while permitting strong confidence in its security. A 128-bit variant was submitted as an eSTREAM cipher candidate and has been selected as one of the four final contestants in the software profile.

#36963

26-401: The algorithm is designed by Hongjun Wu, and was first published in 2004. It is not patented. HC-256 has a 256 bit key and an initialization vector (nonce) of 256 bits. Internally, it consists of two secret tables (P and Q). Each table contains 1024 32-bit words. For each state update one 32-bit word in each table is updated using a non-linear update function. After 2048 steps all elements of

52-526: A Pentium M processor are cited. The implementation of HC-128 on various computing structures is studied in detail, with significant performance gains compared to naive SW implementation. Initialization vector In cryptography , an initialization vector ( IV ) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom , but sometimes an IV only needs to be unpredictable or unique. Randomization

78-416: A fixed length string of bits . The length of this bit string is the block size . Both the input ( plaintext ) and output ( ciphertext ) are the same length; the output cannot be shorter than the input – this follows logically from the pigeonhole principle and the fact that the cipher must be reversible – and it is undesirable for the output to be longer than the input. Until

104-503: A sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides. Block cipher processing of data is usually described as a mode of operation. Modes are primarily defined for encryption as well as authentication , though newer designs exist that combine both security solutions in so-called authenticated encryption modes. While encryption and authenticated encryption modes usually take an IV matching

130-417: A set of input blocks. The first mode implements the simple strategy described above, and was specified as the electronic codebook (ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which

156-457: A short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked. Packet injection allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP. In cipher-block chaining mode (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict

182-413: Is crucial for some encryption schemes to achieve semantic security , a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For block ciphers , the use of an IV is described by the modes of operation . Some cryptographic primitives require the IV only to be non-repeating, and

208-459: Is one of the most basic primitives in cryptography, and frequently used for data encryption . However, by itself, it can only be used to encode a data block of a predefined size, called the block size . For example, a single invocation of the AES algorithm transforms a 128-bit plaintext block into a ciphertext block of 128 bits in size. The key , which is given as one input to the cipher, defines

234-440: Is referred to as an initialization vector . For example, the cipher-block chaining (CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input. This unpredictable value is added to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes

260-485: Is to provide semantic security : by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called chosen-plaintext attacks . Properties of an IV depend on the cryptographic scheme used. A basic requirement is uniqueness , which means that no IV may be reused under

286-465: The cipher mode does not properly randomise the input, the limit is even lower. Consequently, AES candidates were required to support a block length of 128 bits (16 bytes). This should be acceptable for up to 2 × 16 B = 256 exabytes of data, and would suffice for many years after introduction. The winner of the AES contest, Rijndael , supports block and key sizes of 128, 192, and 256 bits, but in AES

SECTION 10

#1732787042037

312-546: The IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the BEAST attack . Block size (cryptography) In modern cryptography , symmetric key ciphers are generally divided into stream ciphers and block ciphers . Block ciphers operate on

338-496: The IV is chosen at random, the probability of collisions due to the birthday problem must be taken into account. Traditional stream ciphers such as RC4 do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the WEP protocol is a notable example, and is prone to related-IV attacks. A block cipher

364-399: The IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the output feedback mode (OFB mode), the IV must be unique. In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows

390-456: The announcement of NIST 's AES contest , the majority of block ciphers followed the example of the DES in using a block size of 64 bits (8 bytes ). However, the birthday paradox indicates that after accumulating several blocks equal to the square root of the total number possible, there will be an approximately 50% chance of two or more being the same, which would start to leak information about

416-401: The chance of a duplicate IV is negligible , but the effect of the birthday problem must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext. Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either called randomized or stateful . While randomized schemes always require the IV chosen by

442-467: The cipher's block size, authentication modes are commonly realized as deterministic algorithms , and the IV is set to zero or some other fixed value. In stream ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher rounds are executed prior to releasing the first bit of output. For performance reasons, designers of stream ciphers try to keep that number of rounds as small as possible, but because determining

468-480: The encryption key. To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed to randomize the input data. In 1980, the NIST published a national standard document designated Federal Information Processing Standard (FIPS) PUB 81, which specified four so-called block cipher modes of operation , each describing a different solution for encrypting

494-431: The mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing

520-407: The message contents. Thus even when used with a proper encryption mode (e.g. CBC or OFB), only 2 × 8 B = 32 GB of data can be safely sent under one key. In practice a greater margin of security is desired, restricting a single key to the encryption of much less data  — say a few hundred megabytes. At one point that seemed like a fair amount of data, but today it is easily exceeded. If

546-432: The message to consider message loss.) An example of stateful encryption schemes is the counter mode of operation, which has a sequence number for a nonce. The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks. When

SECTION 20

#1732787042037

572-443: The minimal secure number of rounds for stream ciphers is not a trivial task, and considering other issues such as entropy loss, unique to each cipher construction, related-IVs and other IV-related attacks are a known security issue for stream ciphers, which makes IV loading in stream ciphers a serious concern and a subject of ongoing research. The 802.11 encryption algorithm called WEP (short for Wired Equivalent Privacy ) used

598-418: The required randomness is derived internally. In this case, the IV is commonly called a nonce (a number used only once), and the primitives (e.g. CBC ) are considered stateful rather than randomized . This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with

624-443: The same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. In stream cipher encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise. Many schemes require the IV to be unpredictable by an adversary . This is effected by selecting the IV at random or pseudo-randomly . In such schemes,

650-462: The tables P and Q, and number of table updating steps by half. The performance of HC-256 is estimated by its author to be about 4 cycles per byte on a Pentium 4 processor. However the initialization phase of the cipher includes expanding the 256-bit key into the tables P, Q and then running the cipher for 4096 steps. The author of HC-256 estimates this process to take around 74,000 cycles. For HC-128 an encryption speed of about 3 cycles per byte on

676-535: The tables have been updated. It generates one 32-bit word for each update step using a 32-bit to 32-bit mapping function similar to the output function of the Blowfish cipher. Finally a linear bit-masking function is applied to generate an output word. It uses the two message schedule functions in the hash function SHA-256 internally, but with the tables P and Q as S-boxes . HC-128 is similar in function, and reduces each of key length, nonce, number of words in

#36963