11

I've been reading a bit about block cipher modes and I have a relatively straightforward question regarding CTR. In essence, I was hoping you guys would be kind enough to validate my understanding of things.

As I understand it, CTR does the following:

  1. Take the first output of the nonce (let us assume an incrementing int for our purposes)
  2. Encrypt the nonce with the key. CTR requires that the key and the nonce be of identical size.

  3. Perform some lossless operation between encrypted nonce and a portion of plaintext (e.g.: XOR)

  4. Increment nonce

  5. Repeate ad libitum

Here's what I don't understand. CTR is supposed to transform a block cipher into a stream cipher, but don't you still have to operate block-by-block for step 3?

What am I missing?

Louis Thibault
  • 221
  • 2
  • 5

1 Answers1

16

While you do operate block-by-block when generating the pseudorandom stream, the actual encryption step (i.e., the XOR) is bitwise, and therefore does not require the message to be padded.

For example, the message "Hello" will be processed as follows (pseudocode):

byte stream[16] = AES(Key, Nonce);
byte plaintext[5]  = "Hello";
byte ciphertext[5];
for i from 0 to 5:
    ciphertext[i] = plaintext[i] XOR stream[i];

The remaining bytes of the pseudorandom stream, beyond the length of the message, are simply discarded.

Samuel Neves
  • 12,960
  • 46
  • 54