Steve Weis:
> Comments inline...
> On Tue, Jun 11, 2013 at 10:47 AM, Sean Cassidy 
> <>wrote:
> > > - Any specific reason you picked CTR?
> > CTR is widely recommended. Cryptography Engineering specifically
> > recommends it.

I was puzzled by this recommendation. CTR has several bad propeties that
can surprise you, and have bitten Tor as well.
> The reason I ask is that this makes your IV-generation more critical than,
> say, CBC, XTS, or other modes. If you have an IV collision, you'll leak
> some message bits.

Additionally to this, CTR allows bit-level maleability of the cleartext:
a bit flipped in a CTR cipherstream translates into a bit flipped in
the cleartext.

In fact, if there are regions of known cleartext (such as zeroes) the
adversary can do things like encode the originating IP in the cleartext
simply by XORing it into the cipherstream.

This property can cause problems if you perform any operations before
checking the MAC (like evaluating a weak CRC to decide to forward the
message or not).

CBC on the other hand causes a single ciphertext bitflip to scramble a
block of cleartext (16 or 32 bytes for 128bit vs 256bit) in an
unpredictable and key-dependent way.

Mike Perry
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at or changing your settings at

Reply via email to