NIST accordion proposal

[Dworkin, Morris J. (Fed)]

FYI, today NIST posted an announcement to propose HCTR2 as the basis for approved cryptographic accordions.  Public comments were requested by August 6.

 

Morris Dworkin

on behalf of the NIST cipher modes team

[Simo Sorce]

Dear Morris,
the full announcement at https://csrc.nist.gov/pubs/sp/800/197/a/iprd
contains a link to the "December 2024 announcement" about a 256 bit AES
variant that leads to a 404.

Perhaps the link should be pointing to:
https://csrc.nist.gov/pubs/sp/800/197/iprd


Best,
Simo.


On Fri, 2025-06-06 at 19:33 +0000, 'Dworkin, Morris J. (Fed)' via

> --
> To unsubscribe from this group, send email to ciphermodes-fo...@list.nist.gov
>  
> View this message at https://list.nist.gov/ciphermodes-forum
> To unsubscribe from this group and stop receiving emails from it, send an email to ciphermodes-fo...@list.nist.gov.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

[Roberto Avanzi]

Hi Morris

we welcome this idea, since we believe this is the right approach forward. This said, robustness and CMT-4 security cannot be reached with "vanilla" HCTR2 and any construction adding these on it is very expensive.

With my coauthors (that's the "we" above), I have extended the HCTR2 construction by using a collision-resistant hash for the AD and separate the computation of the tag from the rest. At the price of very few additional operations, we attain both full commitment and robustness.  The security proofs are relatively simple and mostly follow existing ones.   The paper is currently under submission, but the idea is to use a separate "HCTR" to create just the tag.  We can post the document on the forum if anyone is interested.

best

 Roberto