I agree with Nico's comments about the importance of ensuring good entropy on nonsession keys. And thanks to Greg for pointing out that important distinction.
Beyond the xor mask diversity issue, my second question remains: whether neighboring (i.e. single-bit-difference-seeded) blocks have sufficiently white differences. For example, if you flip bit 7 of the counter or bit 2 of the key, what happens to "entropy distance" from the one block to the other? Here's a (slowly loading) Wolfram Alpha graph of the distribution I would expect for a neighboring pair of 128-bit blocks, averaged over many similar samples, with respect to the number of bit flips, 0s, and 1s in their xor or difference: http://www.wolframalpha.com/input/?i=128+coin+flips I'm convinced that any given CTR xor mask is very white, given a reasonable key and IV; this question is instead directed toward block differences. As to "one-to-one", I was referring to the mapping of the {key, counter} state to a given xor mask. While any xor encryption algo obviously needs to be one-to-one in the sense that it must be possible to uniquely decrypt the ciphertext, the xor masks don't need to be all unique. At one extreme, if the masks were all equal, statistical analysis would be very easy. But on the other extreme, if the xor masks are all unique, then you eventually lose deniability of the existence of a ciphertext (somewhere near the birthday limit). To the extent that a series of xor masks should be minimally distinct (as opposed to indistinct, which is impossible in a finite-state machine) from random noise, only (1-1/e) fraction (about 63%) of all possible N-bit masks should be possible to generate from {key, counter} states, meaning that some xor masks would indeed be duplicates. After all, the whole point of xor mask encryption is to cheaply mimic a one-time-pad emitted from a true random number generator, which of course can repeat itself by chance on occasion. But I put this at the bottom of my message here, because at the moment it's all academic, on account of the astronomical number of xor mask samples required to evince this distinction.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
