On 2013-06-13 12:31 PM, Russell Leidich wrote:
Not to detract from the important discussion of how best to use AES
CTR mode, but I have a more basic question...
I can certainly understand why the discussion of CTR mode is
considered to be boring. I assume that anyone can easily verify that
testing trillions of different 128-bit counter values, even in
incremental sequence, produces radically different xor masks, given a
"reasonable" IV.
But what's the probability of 2 xor masks colliding? Is this just
assumed to be random, i.e. compatible with a birthday attack?
If it was not random there would be equivalent attacks on all other modes.
I am seeing a lot of people imagining all sorts of problems with ctr
happening under certain circumstances, when, given those circumstances,
there would be equivalent problems with all other modes.
This is the bicycle shed effect.
A committee has to a discuss a ten million dollar auditorium and a five
hundred dollar bicycle shed. The auditorium goes through in three
minutes, because no one understands the potential problems with the
auditorium, whereas the bicycle shed bogs down the committee for three
months.
For example someone pointed out that ctr is problematic because you
don't necessarily have access to true randomness or non repeating pseudo
randomness.
Well guess what? Every other mode needs randomness also.
Every other mode needs authentication also.
Has anyone done anything like a limit median iteration count before
repetition (LMICBR) test or scintillating entropy test? (These are
described in detail on my blogs.) The former test, which could
actually be performed in useful fashion on a 128-bit space using
existing computer power, would likely throw up warning signs if the
cycle were too short. The latter test would potentially shrink the
upper bound complexity estimate for differential (i.e. interblock)
cryptanalysis.
So if, let's say, 2 in every 100 xor masks collide, then I need only
store 100 encrypted blocks in order to have a good chance of finding
of a matching pair (or n-tuple) of xor masks, thereby facilitating
statistical cracking methods. Obviously 100 is too small. So what is
the actual number, for a given counter width?
Personally, I'd prefer to rely on the predictable limit cycles of
Karacell 3 (but then, I'm biased). But I'm quite open to a
demonstration or whitepaper showing that CTR limit cycles are also
predictable and usefully long. Or maybe I've just misunderstood how
CTR works. Anyone?
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
