Re: AES counter mode

Tue, 10 Jun 2003 01:25:00 -0700 

I agree with you about the way to build the initial "ctr" value  from the "nonce" 
value. My question is different : whithin the encryption of a  whole plaintext message 
(so a big block to be divided into 128 bit length blocks) , why to increment ctr by 
2^64 instead of 1 from block to block ? 

My understanding of the operation is :
- increment nonce by one from messages to messages (so this is a 2^64 step if 
considering ctr)
- but for each message:
        - build initial ctr from the nonce value
        - increment ctr by 1 from block to block

Thierry boivin 


At 07:23 06/06/03 -0700, you wrote:
>Thierry Boivin wrote:
>>Hello,
>>I am trying to play with AES crypto in counter mode. Using the crypto library 
>>against reference vectors found in IPSec RFC fails until the  incrementation 
>>function (AES_ctr128_inc()) is modified in order to get a +1 step instead of a +2^64 
>>step. Where does the actual "increment by 2^64" come from ?
>
>Read the documents on AES counter mode.  The counter is a 64-bit
>counter but the blocksize is 128, and the convention is that the
>counter is a Big Endian number with only the MSW used.
>
>[from Lipmaa, Rogaway & Wagner]
>
>        In the recommended usage scenario, the party encrypting maintains an
>        integer counter, nonce, initially 0, and produces the string ctr as
>        the 128-bit string which encodes the number nonce * 2^64.
>
>Don't ask me *why* it's that way -- the choice of a mere 64 bits is
>clearly done in order to avoid a well-known attack against stream ciphers,
>since one can begin to distinguish a stream from random after 2^90 or so
>samples.
>
>Maybe the Big Endian choice is a subtle protest against Wintel?
>
>-- 
>
>"Well," Brahma said, "even after ten thousand explanations, a fool is no
> wiser, but an intelligent man requires only two thousand five hundred."
>                - The Mahabharata
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>Development Mailing List                       [EMAIL PROTECTED]
>Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to