An Extended CTRT for AES-256

Abstract

At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called, CTRT) and proved its security in the ideal cipher model. Though AES-128 whose key length$$k=128$$ and block length$$l=128$$ can be used in CTRT as a block cipher, AES-256 cannot be used in CTRT due to its intrinsic restriction of$$k \le l$$. According to a recent ECRYPT-CSA report, AES-256 is strongly recommended rather than AES-128 for long term protection (security for thirty to fifty years) and post-quantum security. In this paper, we propose an extended CTRT (named as XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same AONT security definition of Desai. Also, we discuss the security result of XCTRT in concrete parameter settings. After showing performance measurements of XCTRT, we can say that our XCTRT has high speed encoding/decoding performance and is quite practical to be deployed in the real-world applications (e.g., cloud storage service).