Why is ECB+CTR not a thing?What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksIs it secure to encrypt random key with block cipher in ECB mode?Security of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?

Manager told a colleague of mine I was getting fired soon

Why does the Pilatus PC-24 have such a large "Wing Support"?

How to refresh wired service getRecord manually?

Check if number is in list of numbers

Why is music is taught by reading sheet music?

Does the US Armed Forces refuse to recruit anyone with an IQ less than 83?

Writing about real people - not giving offence

Can Fabled Passage generate two mana with Amulet of Vigor?

What is the Japanese equivalent of 'you're in my heart'?

Is there an in-universe explanation of how Frodo's arrival in Valinor was recorded in the Red Book?

Origin of movie opening crawl

Did I get free gas?

Search for something difficult to count/estimate

Sending mail to the Professor for PhD, after seeing his tweet

Why do personal finance apps focus on outgoings rather than income

Why is ECB+CTR not a thing?

Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit?

What's the "actual" shape of a black hole accretion disk?

How is this situation not a checkmate?

Parent asking for money after I moved out

What powers or limits devil promotion?

underline alignment

As "database reporting analyst" I have access to privileged info & the company isn't doing well, how to avoid appearing improper if I leave?

Single tx included in two different blocks



Why is ECB+CTR not a thing?


What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksIs it secure to encrypt random key with block cipher in ECB mode?Security of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;

.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;








2












$begingroup$


AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.



Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)



Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.



However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.



The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.



Obviously you'd need some kind of padding but again that's a separate issue.



Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?










share|improve this question









$endgroup$













  • $begingroup$
    Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
    $endgroup$
    – Squeamish Ossifrage
    7 hours ago

















2












$begingroup$


AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.



Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)



Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.



However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.



The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.



Obviously you'd need some kind of padding but again that's a separate issue.



Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?










share|improve this question









$endgroup$













  • $begingroup$
    Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
    $endgroup$
    – Squeamish Ossifrage
    7 hours ago













2












2








2





$begingroup$


AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.



Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)



Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.



However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.



The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.



Obviously you'd need some kind of padding but again that's a separate issue.



Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?










share|improve this question









$endgroup$




AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.



Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)



Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.



However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.



The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.



Obviously you'd need some kind of padding but again that's a separate issue.



Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?







block-cipher algorithm-design modes-of-operation






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 9 hours ago









Adam IerymenkoAdam Ierymenko

4893 silver badges14 bronze badges




4893 silver badges14 bronze badges














  • $begingroup$
    Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
    $endgroup$
    – Squeamish Ossifrage
    7 hours ago
















  • $begingroup$
    Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
    $endgroup$
    – Squeamish Ossifrage
    7 hours ago















$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago




$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
7 hours ago










3 Answers
3






active

oldest

votes


















3














$begingroup$


However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.



Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.



Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.



Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...






share|improve this answer











$endgroup$






















    3














    $begingroup$


    However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




    This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).




    Why is this kind of mode not a thing?




    This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.




    1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.






    share|improve this answer











    $endgroup$






















      0














      $begingroup$

      First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;



      • using a counter-based IV generation

      • Or LFSR based, both as recommended by NIST, and the first is more common.

      In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.



      Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.






      share|improve this answer









      $endgroup$
















        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "281"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );














        draft saved

        draft discarded
















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        3














        $begingroup$


        However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




        Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.



        Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.



        Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.



        Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...






        share|improve this answer











        $endgroup$



















          3














          $begingroup$


          However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




          Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.



          Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.



          Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.



          Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...






          share|improve this answer











          $endgroup$

















            3














            3










            3







            $begingroup$


            However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




            Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.



            Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.



            Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.



            Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...






            share|improve this answer











            $endgroup$




            However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




            Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.



            Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $AES_k( 7 oplus 4 ), AES_k( 6 oplus 5) = AES_k( 3 ), AES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.



            Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.



            Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $AES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $GF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 8 hours ago

























            answered 8 hours ago









            ponchoponcho

            99.8k3 gold badges163 silver badges261 bronze badges




            99.8k3 gold badges163 silver badges261 bronze badges


























                3














                $begingroup$


                However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




                This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).




                Why is this kind of mode not a thing?




                This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.




                1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.






                share|improve this answer











                $endgroup$



















                  3














                  $begingroup$


                  However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




                  This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).




                  Why is this kind of mode not a thing?




                  This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.




                  1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.






                  share|improve this answer











                  $endgroup$

















                    3














                    3










                    3







                    $begingroup$


                    However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




                    This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).




                    Why is this kind of mode not a thing?




                    This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.




                    1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.






                    share|improve this answer











                    $endgroup$




                    However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.




                    This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).




                    Why is this kind of mode not a thing?




                    This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.




                    1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited 6 hours ago

























                    answered 8 hours ago









                    SEJPMSEJPM

                    31.3k6 gold badges64 silver badges147 bronze badges




                    31.3k6 gold badges64 silver badges147 bronze badges
























                        0














                        $begingroup$

                        First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;



                        • using a counter-based IV generation

                        • Or LFSR based, both as recommended by NIST, and the first is more common.

                        In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.



                        Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.






                        share|improve this answer









                        $endgroup$



















                          0














                          $begingroup$

                          First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;



                          • using a counter-based IV generation

                          • Or LFSR based, both as recommended by NIST, and the first is more common.

                          In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.



                          Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.






                          share|improve this answer









                          $endgroup$

















                            0














                            0










                            0







                            $begingroup$

                            First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;



                            • using a counter-based IV generation

                            • Or LFSR based, both as recommended by NIST, and the first is more common.

                            In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.



                            Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.






                            share|improve this answer









                            $endgroup$



                            First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;



                            • using a counter-based IV generation

                            • Or LFSR based, both as recommended by NIST, and the first is more common.

                            In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.



                            Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 8 hours ago









                            kelalakakelalaka

                            10.9k3 gold badges28 silver badges55 bronze badges




                            10.9k3 gold badges28 silver badges55 bronze badges































                                draft saved

                                draft discarded















































                                Thanks for contributing an answer to Cryptography Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                Use MathJax to format equations. MathJax reference.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                                Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                                Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її