This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Comments to NIST concerning AES Modes of Operations: CTRMode Encryption Helger Lipmaa Helsinki University of Technology (Finland) and University of Tartu (Estonia) [email protected] http://www.tml.hut.fi/ helger Phillip Rogaway University of California at Davis (USA) and Chiang Mai University (Thailand) [email protected] http://www.cs.ucdavis.edu/ rogaway David Wagner University of California Berkeley (USA) [email protected] http://www.cs.berkeley.edu/ wagner Abstract Countermode encryption (“CTR mode”) was introduced by Diffie and Hellman already in 1979 [5] and is already standardized by, for example, [1, Section 6.4]. It is indeed one of the best known modes that are not standardized in [10]. We suggest that NIST, in standardizing AES modes of operation, should include CTRmode encryption as one possibility for the next reasons. First, CTR mode has significant efficiency advantages over the standard encryption modes without weakening the security. In particular its tight security has been proven. Second, most of the perceived disadvantages of CTR mode are not valid criticisms, but rather caused by the lack of knowledge. 1 Review of CounterMode Encryption Notation. Let E K X denote the encipherment of an nbit block X using key K and a block cipher E . For concreteness we assume that E = AES, so n = 128. If X is a nonempty string and i is a nonnegative integer, then X i denotes the j X jbit string that one gets by regarding X as a nonnegative number (written in binary, most significant bit first), adding i to this number, taking the result modulo 2 j X j , and converting this number back into an j X jbit string. This is the customary semantics for computer addition. Operation. To encrypt using CTRmode encryption, one starts with a plaintext M (an arbitrary bit string), a key K , and a counter ctr , where ctr is an nbit string. Let C be the XOR (excusiveor) of M and the first j M j bits of the pad E K ctr k E K ctr 1 k E K ctr 2 ¡¡¡ . The ciphertext is ctr ; C , or, more generally, C together with something adequate to recover ctr . To decrypt ciphertext ctr ; C compute the plaintext M as the XOR of C and the first j C j bits of the pad E K ctr k E K ctr 1 k E K ctr 2 ¡¡¡ . Therefore, decryption is the same as encryption with M and C interchanged (see Figure 1). Often we refer to C itself, rather than ctr ; C , as the ciphertext. Usage scenarios. In the recommended usage scenario, the party encrypting maintains an integer counter, nonce , initially 0, and produces the string ctr as the 128bit string which encodes the number nonce ¡ 2 64 . (In other words, nonce is regarded as a 64bit binary number, and ctr is constructed by appending to this number 64 zerobits.) The number nonce is incremented following each encryption. Typically, one transmits C along with a string which encodes nonce ....
View
Full
Document
This note was uploaded on 02/02/2011 for the course SECURITY 2354 taught by Professor Morganjones during the Spring '11 term at Ucla Venezuela.
 Spring '11
 morganjones

Click to edit the document details