Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ctr]

Counter Mode (CTR) is an encryption mode, that builds a random-access stream-cipher from a block-cipher.

Counter Mode (CTR), also known as Segmented Integer Counter (SIC) or Integer Counter Mode (ICM), makes a block-cipher into a random-access stream cipher by generating a keystream using the block-cipher that is XORed with the plaintext to produce the ciphertext. CTR mode generates keystream blocks by encrypting successive values of a non-repeating counter with the block-cipher.

See the wikipedia page for more information.

267 questions
50
votes
2 answers

AES CBC mode or AES CTR mode recommended?

What are the benefits and disadvantages of CBC vs. CTR mode? Which one is more secure?
mary
  • 1,071
  • 3
  • 11
  • 13
26
votes
2 answers

Why do we use XTS over CTR for disk encryption?

I'm taking Prof. Boneh's crypto class from Coursera, and am unsure on the requirement for XTS mode for disk encryption. It seems that CTR mode would do exactly what XTS can do, but is simpler to implement? In either mode, I will use the disk sector…
shrek
  • 363
  • 3
  • 5
24
votes
1 answer

Is it safe to use a randomized IV for CTR mode?

I'm currently reading the chapter of Cryptographic Engineering (Ferguson, Schneier, Kohno 2010) about block cipher modes of operation. They have recommended CBC with random IV instead of CTR due to the difficulty of generating nonces for CTR: In…
user1114
  • 855
  • 2
  • 10
  • 26
20
votes
1 answer

Why must IV/key-pairs not be reused in CTR mode?

Many sources mention that IVs must not be reused with the same key in CTR mode, for encrypting 2 different pieces of data, because that totally destroys security - but I haven't found an explanation so far as to why this is the case. The issue is…
Dexter
  • 647
  • 1
  • 6
  • 10
20
votes
4 answers

Is SHA-256 secure as a CTR block cipher?

Generate a 256-bit random nonce. XOR it with a 256-bit reusable symmetric key. This is x. We represent numbers in simple binary instead of a counting function. 0 in dec = [256 zeros] in binary, 1 = [255 zeros]1, 23092348 = [241…
Jordan
  • 595
  • 1
  • 4
  • 9
17
votes
1 answer

What is wrong with AES-CTR-HMAC-SHA256 - or why is it not in TLS?

It seems the only specified CTR mode ciphers in TLS are all GCM based. GCM ciphers run AES-CTR and do authenticated encryption with a MAC based on Galois-field arithmetic ("GHASH") - and the latter seems to be difficult to get right in software…
oberstet
  • 447
  • 1
  • 5
  • 12
14
votes
4 answers

Disadvantages of AES-CTR?

On paper, it sounds *very* good to me: secure fast (in my tests it's somewhat slower than ECB (but without most of the weaknesses, more on that below) but faster than every other alternative I tested, which were ECB, CTR, CBC, OFB, CFB written in…
hanshenrik
  • 569
  • 1
  • 5
  • 17
14
votes
2 answers

What are the risks of using CTR mode with 64 bit blocks?

On DJB's blog he writes: I was one of about 40 people sitting in a meeting where the speaker, NSA's Louis Wingers (one of the Simon and Speck authors), falsely claimed that counter mode is safe for 64-bit blocks, since counter mode doesn't have…
Future Security
  • 3,381
  • 1
  • 10
  • 26
14
votes
1 answer

Reusing keys with AES-CBC

I heard that key/IV pairs must not be reused in AES-CTR, or when using any stream cipher for that matter. Yet the attacks described do not seem to apply to AES-CBC. Is reusing the same key several times dangerous in AES-CBC mode? Does the use of a…
user2398029
  • 523
  • 1
  • 3
  • 14
12
votes
1 answer

Deterministic nonces in CTR mode

I want to encrypt a file with AES in CTR mode. I have a 256 bit master key and the file. Given these, the encryption must be deterministic, so I can't use a random nonce in the usual way. Fortunately the master key will be unique¹. My original plan…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
11
votes
1 answer

Why doesn't CTR mode require blocking?

I've been reading a bit about block cipher modes and I have a relatively straightforward question regarding CTR. In essence, I was hoping you guys would be kind enough to validate my understanding of things. As I understand it, CTR does the…
Louis Thibault
  • 221
  • 2
  • 5
11
votes
3 answers

AES CTR with similar IVs and same key

Let's say there is a piece of software that uses AES CTR to encrypt different messages using the same key but with slightly different IVs. So for example, a 16 byte IV, the 2nd 8 bytes are always the same, but the 1st 8 bytes are random. How…
bwbrowning
  • 243
  • 4
  • 7
10
votes
2 answers

What does a stream cipher provide that cannot be obtained with AES CTR mode operation?

I can precompute the key stream for the CTR mode operation and the encryption at that point is similar to a stream cipher. So why are there stream ciphers still used and proposed after RC4? Recently the ChaCha20 as part of the ChaCha20-Poly1305 AE…
user220201
  • 881
  • 4
  • 9
  • 15
10
votes
2 answers

Why does CTR mode XOR the plaintext into the output of the block cipher rather than XORing the plaintext into the input of the block cipher?

As I understand it, CTR mode essentially turns a block cipher into a stream cipher like so: _______________ | | | | nonce | i | |_______|_______| | _______V_______ | …
icktoofay
  • 203
  • 2
  • 7
9
votes
3 answers

Why is it good to split a CTR-mode counter into nonce and counter?

When discussing the CTR mode of block ciphers, Wikipedia says the following: Simply adding or XORing the nonce and counter into a single value would completely break the security under a chosen-plaintext attack. I don't understand the difference…
Myria
  • 2,635
  • 15
  • 26
1
2 3
17 18