This preview shows pages 1–2. Sign up to view the full content.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption Helger Lipmaa Helsinki University of Technology (Finland) and University of Tartu (Estonia) [email protected] http://www.tml.hut.fi/ helger Phillip Rogaway University of California at Davis (USA) and Chiang Mai University (Thailand) [email protected] http://www.cs.ucdavis.edu/ rogaway David Wagner University of California Berkeley (USA) [email protected] http://www.cs.berkeley.edu/ wagner Abstract Counter-mode encryption (“CTR mode”) was introduced by Diffie and Hellman already in 1979 [5] and is already standardized by, for example, [1, Section 6.4]. It is indeed one of the best known modes that are not standardized in [10]. We suggest that NIST, in standardizing AES modes of operation, should include CTR-mode encryption as one possibility for the next reasons. First, CTR mode has significant efficiency advantages over the standard encryption modes without weakening the security. In particular its tight security has been proven. Second, most of the perceived disadvantages of CTR mode are not valid criticisms, but rather caused by the lack of knowledge. 1 Review of Counter-Mode Encryption Notation. Let E K X denote the encipherment of an n-bit block X using key K and a block cipher E . For concreteness we assume that E = AES, so n = 128. If X is a nonempty string and i is a nonnegative integer, then X i denotes the j X j-bit string that one gets by regarding X as a nonnegative number (written in binary, most significant bit first), adding i to this number, taking the result modulo 2 j X j , and converting this number back into an j X j-bit string. This is the customary semantics for computer addition. Operation. To encrypt using CTR-mode encryption, one starts with a plaintext M (an arbitrary bit string), a key K , and a counter ctr , where ctr is an n-bit string. Let C be the XOR (excusive-or) of M and the first j M j bits of the pad E K ctr k E K ctr 1 k E K ctr 2 ¡¡¡ . The ciphertext is ctr ; C , or, more generally, C together with something adequate to recover ctr . To decrypt ciphertext ctr ; C compute the plaintext M as the XOR of C and the first j C j bits of the pad E K ctr k E K ctr 1 k E K ctr 2 ¡¡¡ . Therefore, decryption is the same as encryption with M and C interchanged (see Figure 1). Often we refer to C itself, rather than ctr ; C , as the ciphertext. Usage scenarios. In the recommended usage scenario, the party encrypting maintains an integer counter, nonce , initially 0, and produces the string ctr as the 128-bit string which encodes the number nonce ¡ 2 64 . (In other words, nonce is regarded as a 64-bit binary number, and ctr is constructed by appending to this number 64 zero-bits.) The number nonce is incremented following each encryption. Typically, one transmits C along with a string which encodes nonce ....
View Full Document

{[ snackBarMessage ]}