fscrypt: Add HCTR2 support for filename encryption - linux-dev - Linux kernel development work

diff options

author	Nathan Huckleberry <nhuck@google.com>	2022-05-20 18:15:01 +0000
committer	Herbert Xu <herbert@gondor.apana.org.au>	2022-06-10 16:40:18 +0800
commit	6b2a51ff03bf0c54cbc699ee85a9a49eb203ebfc (patch)
tree	8110bcd6c9baaedb35a031ae2529b2e47fa74269 /lib/mpi/mpi-add.c
parent	crypto: arm64/polyval - Add PMULL accelerated implementation of POLYVAL (diff)
download	linux-dev-6b2a51ff03bf0c54cbc699ee85a9a49eb203ebfc.tar.xz linux-dev-6b2a51ff03bf0c54cbc699ee85a9a49eb203ebfc.zip

fscrypt: Add HCTR2 support for filename encryption

HCTR2 is a tweakable, length-preserving encryption mode that is intended for use on CPUs with dedicated crypto instructions. HCTR2 has the property that a bitflip in the plaintext changes the entire ciphertext. This property fixes a known weakness with filename encryption: when two filenames in the same directory share a prefix of >= 16 bytes, with AES-CTS-CBC their encrypted filenames share a common substring, leaking information. HCTR2 does not have this problem. More information on HCTR2 can be found here: "Length-preserving encryption with HCTR2": https://eprint.iacr.org/2021/1441.pdf Signed-off-by: Nathan Huckleberry <nhuck@google.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Acked-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Diffstat (limited to 'lib/mpi/mpi-add.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: