Why is ECB+CTR not a thing?What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksIs it secure to encrypt random key with block cipher in ECB mode?Security of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?
Manager told a colleague of mine I was getting fired soon
Why does the Pilatus PC-24 have such a large "Wing Support"?
How to refresh wired service getRecord manually?
Check if number is in list of numbers
Why is music is taught by reading sheet music?
Does the US Armed Forces refuse to recruit anyone with an IQ less than 83?
Writing about real people - not giving offence
Can Fabled Passage generate two mana with Amulet of Vigor?
What is the Japanese equivalent of 'you're in my heart'?
Is there an in-universe explanation of how Frodo's arrival in Valinor was recorded in the Red Book?
Origin of movie opening crawl
Did I get free gas?
Search for something difficult to count/estimate
Sending mail to the Professor for PhD, after seeing his tweet
Why do personal finance apps focus on outgoings rather than income
Why is ECB+CTR not a thing?
Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit?
What's the "actual" shape of a black hole accretion disk?
How is this situation not a checkmate?
Parent asking for money after I moved out
What powers or limits devil promotion?
underline alignment
As "database reporting analyst" I have access to privileged info & the company isn't doing well, how to avoid appearing improper if I leave?
Single tx included in two different blocks
Why is ECB+CTR not a thing?
What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksIs it secure to encrypt random key with block cipher in ECB mode?Security of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
$endgroup$
add a comment
|
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
$endgroup$
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
$endgroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
block-cipher algorithm-design modes-of-operation
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
asked 9 hours ago
Adam IerymenkoAdam Ierymenko
4893 silver badges14 bronze badges
4893 silver badges14 bronze badges
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago
add a comment
|
3 Answers
3
active
oldest
votes
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
$endgroup$
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
$endgroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
edited 8 hours ago
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
answered 8 hours ago
ponchoponcho
99.8k3 gold badges163 silver badges261 bronze badges
99.8k3 gold badges163 silver badges261 bronze badges
add a comment
|
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
$endgroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
edited 6 hours ago
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
answered 8 hours ago
SEJPM♦SEJPM
31.3k6 gold badges64 silver badges147 bronze badges
31.3k6 gold badges64 silver badges147 bronze badges
add a comment
|
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
$endgroup$
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
$endgroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
answered 8 hours ago
kelalakakelalaka
10.9k3 gold badges28 silver badges55 bronze badges
10.9k3 gold badges28 silver badges55 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago