On Thu, Dec 27, 2012 at 1:35 PM, Ben Laurie <b...@links.org> wrote: > On Thu, Dec 27, 2012 at 9:18 AM, Russell Leidich <pke...@gmail.com> wrote: >> there are plenty of Googleable papers showing the Counter Mode is weak >> relative to (conventional) cipher-block-chaining (CBC) AES. > > Really? For example? I believe CTR mode is especially sensitive to key/nonce reuse. But you don't see the problem until you look at messages over time and space. Confer: CTR mode uses a predictable counter, while CBC mode uses a random (not unique) IV.
I could be wrong since I'm working from memory (it sucks getting old). I'd need to get into the literature to give you anything useful (citable). Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography