Why is ECB+CTR not a thing?What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksSecurity of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?Why weak modes of operations are not banned?
Mathematica NDSolve for DAE and System Modeling
Number puzzle. Can you replace the question mark?
How can I repair a leak in a PVC water line without bringing down the system for an extended period of time?
Most general definition of differentiation
Conditional types in Typescript
Should a soda bottle be stored horizontally or vertically?
What's the best way to keep cover of a pan slightly opened?
What are examples of (collections of) papers which "close" a field?
Twelve Labours - #12 Pluto Pups
Certainly naive, but I do not understand why this compiles
Where to start with a child learning chess?
Simple Markdown viewer for Windows
Why are these wires sticking out of battery terminal?
Compatibility level of SQL Server
Running DOS, Windows 3, and Windows 98 from one FAT32 partition?
Which object has been to space the most times?
Where to find the code for the terminal commands?
Furnace: pipe is leaking when switched to air-conditioning
What made the Tusken Raiders unable / unwilling to shoot down Luke's Landspeeder?
In Germany, why does the burden of proof fall on authorities rather than the company or individual when it comes to possible illegal funds?
Is there a reason "Hoopy" is rarely used in The Hitchhiker's Guide?
Three people wearing hats
Can socialism and capitalism coexist in the same country?
Is it Academically Dishonest to submit the same project to two different classes in the same semester?
Why is ECB+CTR not a thing?
What is a tweakable block cipher?Proof that IND$-CPA implies IND-CPA?(Why) should I avoid using a randomized IV for CTR mode?Modes of operation that allow padding oracle attacksSecurity of a parallelizable block cipher modeRepeated NONCE in CTR modeIs it feasable to combine ECB and CTR block modes of operation?What's the best block cipher mode of operation for RSA?Why weak modes of operations are not banned?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
.everyonelovesstackoverflowposition:absolute;height:1px;width:1px;opacity:0;top:0;left:0;pointer-events:none;
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
$endgroup$
add a comment
|
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
$endgroup$
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12
add a comment
|
$begingroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
$endgroup$
AES-CTR is nice for its parallelizability and simplicity but if you duplicate an IV you reveal plaintext.
Chaining modes like CFB and CBC don't have that problem per se but they are not parallelizable. (CBC-type modes have padding issues too but that's a separate problem.)
Naive ECB mode is not secure because it reveals structure in the plaintext as shown clearly here.
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
The advantage over CTR as I see it is that duplicating a nonce/IV (or having no nonce/IV) would not allow actual plaintext recovery. It may reveal duplication, but that's it. In the no-IV case duplicate messages would have duplicate ciphertext, but that again only reveals message duplication but does not compromise secrecy.
Obviously you'd need some kind of padding but again that's a separate issue.
Why is this kind of mode not a thing? Would a mode like that have some problem I don't see or is it simply deemed unnecessary?
block-cipher algorithm-design modes-of-operation
block-cipher algorithm-design modes-of-operation
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
asked Sep 26 at 17:47
Adam IerymenkoAdam Ierymenko
7313 silver badges15 bronze badges
7313 silver badges15 bronze badges
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12
add a comment
|
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12
add a comment
|
3 Answers
3
active
oldest
votes
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
$endgroup$
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they bexxx0andxxx1for any bitstringsxxx? There's "just" the difference revealed.
$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value forxxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.
$endgroup$
– SEJPM♦
Sep 27 at 14:52
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $operatornameAES_k( 7 oplus 4 ), operatornameAES_k( 6 oplus 5) = operatornameAES_k( 3 ), operatornameAES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $operatornameAES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $operatornameGF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
$endgroup$
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
$endgroup$
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump today*maximum in a day + x. The application can ask to compare after storing.
$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
$endgroup$
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they bexxx0andxxx1for any bitstringsxxx? There's "just" the difference revealed.
$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value forxxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.
$endgroup$
– SEJPM♦
Sep 27 at 14:52
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
$endgroup$
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they bexxx0andxxx1for any bitstringsxxx? There's "just" the difference revealed.
$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value forxxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.
$endgroup$
– SEJPM♦
Sep 27 at 14:52
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
$endgroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
This is trivially insecure. Counter-Example: Consider the nonce $0^n$ and the plaintext $0^2n-1|1$. This mode will encrypt the first block to be $E(0^n)$ and the second block to be $E((0^n-1|1)oplus(0^n-1|1))=E(0^n)$ and so the two blocks will match revealing that they were all zero and all-zero appended with 1. This easily breaks IND$-CPA and RoR-CPA security (the latter being equivalent to more standard CPA security).
Why is this kind of mode not a thing?
This sort of mode is a thing actually. Just not in the naive formulation as described in the question. Namely if you have a almost-XOR-universal hash function $H_K$ keyed with some key $K$ and a block cipher $E$, then $H_K(T)oplus E(Moplus H_K(T))$ is a secure tweakable block cipher1. Now you can put a counter in the tweak $T$ and change it for each block so swap attacks no longer work as do the pattern attacks you know from ECB. In fact tweakable block cipher (modes) are so useful, they see widespread use as XTS (which is based upon LRW which is the above construction and used by essentially all disk encryption software in a variant of this mode) and are the basis for the famously fast OCB modes.
1: Technically this constructs a strong tweakable pseudo-random permutation. For a non-strong TPRP it actually suffices to compute $E(Moplus H_K(T))$ and the simplest $H_K(T)$ is actually $Kcdot T$ over $F_2^128$ which when used with a counting $T$ is very close to the question's construction it's just the additional secret value that makes the difference.
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
edited Sep 26 at 20:50
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
answered Sep 26 at 18:14
SEJPM♦SEJPM
36k6 gold badges64 silver badges151 bronze badges
36k6 gold badges64 silver badges151 bronze badges
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they bexxx0andxxx1for any bitstringsxxx? There's "just" the difference revealed.
$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value forxxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.
$endgroup$
– SEJPM♦
Sep 27 at 14:52
add a comment
|
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they bexxx0andxxx1for any bitstringsxxx? There's "just" the difference revealed.
$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value forxxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.
$endgroup$
– SEJPM♦
Sep 27 at 14:52
1
1
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they be
xxx0 and xxx1 for any bitstrings xxx? There's "just" the difference revealed.$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
"the two blocks will match revealing that they were all zero and all-zero appended with 1" -- couldn't they be
xxx0 and xxx1 for any bitstrings xxx? There's "just" the difference revealed.$endgroup$
– ilkkachu
Sep 27 at 13:41
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value for
xxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.$endgroup$
– SEJPM♦
Sep 27 at 14:52
$begingroup$
Yes, this attack would also work as you suggested as long as the counter is currently at an even value for
xxx0. Note that revealing the fact that these ciphertext blocks are related is already enough to break even the most basic modern cryptographic security notions.$endgroup$
– SEJPM♦
Sep 27 at 14:52
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $operatornameAES_k( 7 oplus 4 ), operatornameAES_k( 6 oplus 5) = operatornameAES_k( 3 ), operatornameAES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $operatornameAES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $operatornameGF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $operatornameAES_k( 7 oplus 4 ), operatornameAES_k( 6 oplus 5) = operatornameAES_k( 3 ), operatornameAES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $operatornameAES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $operatornameGF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
$endgroup$
add a comment
|
$begingroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $operatornameAES_k( 7 oplus 4 ), operatornameAES_k( 6 oplus 5) = operatornameAES_k( 3 ), operatornameAES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $operatornameAES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $operatornameGF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
$endgroup$
However if you added a counter to ECB mode and XORed each block of plaintext with the counter, you could avoid that problem.
Not really; it hides precisely duplicated plaintext blocks, but it would still reveal related plaintext blocks.
Consider a two-block plaintext that consists of $(7, 6)$. Suppose we encrypt it with a counter $nonce = 4$; what this mode would do is generate a two-block ciphertext block $operatornameAES_k( 7 oplus 4 ), operatornameAES_k( 6 oplus 5) = operatornameAES_k( 3 ), operatornameAES_k( 3) $. When the attacker sees this, he can immediately deduce that the xor of the first two plaintext blocks is the value 1.
Not only does this mean that we don't meet CPA security, but also it might leak on plaintexts that might reasonably occur.
Now, a similar idea that I have seen suggested (source: Richard Schroeppel) is the same general idea, but you keep the initial counter value secret (e.g. it is $operatornameAES_k(iv)$), and to update the counter for each block, you don't do a simple increment, but instead you do a multiply by 2 in $operatornameGF(2^128)$ (that is, you have a 128 bit LFSR based on a prime polynomial, and you step it once for each block). This can be shown to be CPA secure; however it never caught on...
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
edited Sep 27 at 20:42
Squeamish Ossifrage
39.1k3 gold badges76 silver badges161 bronze badges
39.1k3 gold badges76 silver badges161 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
answered Sep 26 at 18:13
ponchoponcho
102k3 gold badges165 silver badges268 bronze badges
102k3 gold badges165 silver badges268 bronze badges
add a comment
|
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
$endgroup$
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump today*maximum in a day + x. The application can ask to compare after storing.
$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
$endgroup$
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump today*maximum in a day + x. The application can ask to compare after storing.
$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
add a comment
|
$begingroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
$endgroup$
First of all, in CTR mode, using the same IV under the same key is catastrophic. Once an attacker notices this, he can use crib-dragging like in OTP. Mitigation from using the same IV is easy;
- using a counter-based IV generation
- Or LFSR based, both as recommended by NIST, and the first is more common.
In your mode, one needs the plaintext ready for the encryption. However, in CTR mode, you can prepare the stream before the data arrive.
Now, assume that you have used the same key with different messages in your mode. If a block repeats in two messages in the same position, they will have the same encryption. This can enable some traffic analyzing. However, in CTR if IV is not repeated, there is no problem. Your mode, in some sense, enables IV repeats.
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
answered Sep 26 at 18:13
kelalakakelalaka
13.5k4 gold badges34 silver badges61 bronze badges
13.5k4 gold badges34 silver badges61 bronze badges
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump today*maximum in a day + x. The application can ask to compare after storing.
$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
add a comment
|
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump today*maximum in a day + x. The application can ask to compare after storing.
$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
In some contexts, it may be hard to ensure that a counter gets updated in a way that is robust in the face of unexpected power loss.
$endgroup$
– supercat
Sep 27 at 18:32
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
@supercat are you talking about the CTR mode's recommendations?
$endgroup$
– kelalaka
Sep 27 at 18:36
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
Essentially, the problem with CTR mode is that must have a means of keeping track of what IVs one may have used that is 100% robust, even if one loses power, has system state reloaded from a backup, etc. Not necessarily an insurmountable obstacle, but one that may be problematic if e.g. an application has no means of ensuring when information actually gets written to a storage medium (as opposed to merely delivered to the controller).
$endgroup$
– supercat
Sep 27 at 20:19
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump to
day*maximum in a day + x. The application can ask to compare after storing.$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
@supercat If you know the daily encryption with the CTR mode under the same key by kept statistics, while reloading from a backup you can jump to
day*maximum in a day + x. The application can ask to compare after storing.$endgroup$
– kelalaka
Sep 27 at 21:04
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
$begingroup$
That would require that the unit have a reliable clock. Not a problem, if there's a working and trustworthy clock, but working clocks aren't always available.
$endgroup$
– supercat
Sep 27 at 21:10
add a comment
|
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f74615%2fwhy-is-ecbctr-not-a-thing%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Maybe start by asking: What is the security goal that this would serve, what other alternatives already serve that security goal, and does it perform better than the alternatives?
$endgroup$
– Squeamish Ossifrage
Sep 26 at 19:12