[PATCH v5 8/8] fscrypt: Add HCTR2 support for filename encryption
Eric Biggers
ebiggers at kernel.org
Sun May 1 11:37:40 PDT 2022
On Wed, Apr 27, 2022 at 12:37:59AM +0000, Nathan Huckleberry wrote:
> HCTR2 is a tweakable, length-preserving encryption mode that is intended
> for use on CPUs with dedicated crypto instructions. HCTR2 has the
> property that a bitflip in the plaintext changes the entire ciphertext.
> This property fixes a known weakness with filename encryption: when two
> filenames in the same directory share a prefix of >= 16 bytes, with
> AES-CTS-CBC their encrypted filenames share a common substring, leaking
> information. HCTR2 does not have this problem.
>
> More information on HCTR2 can be found here: "Length-preserving
> encryption with HCTR2": https://eprint.iacr.org/2021/1441.pdf
>
> Signed-off-by: Nathan Huckleberry <nhuck at google.com>
> Reviewed-by: Ard Biesheuvel <ardb at kernel.org>
Acked-by: Eric Biggers <ebiggers at google.com>
- Eric
More information about the linux-arm-kernel
mailing list