[Cryptography] updating a counter
Jerry Leichter
leichter at lrw.com
Mon May 19 18:01:24 EDT 2014
On May 19, 2014, at 9:58 AM, Sandy Harris <sandyinchina at gmail.com> wrote:
> There are quite a few applications for block ciphers in counter mode,
> but for large block sizes it looks as though a simple counter is not
> ideal. Can we discuss better ways?
>
> With a straight counter only a few bits change on most iterations and
> the high bits almost never, even if the counter is initialised
> randomly. If you start from zero, rest the counter when rekeying, and
> rekey at some sensible interval like 2^32 iterations, 96 bits of a
> 128-bit counter or 224 bits of a 256-bit one will never change. This
> may not break things, but it cannot be a good idea to use a series of
> values with small Hamming differences and many known bits....
As others have pointed out, this is probably not worth doing: If you cipher is vulnerable to this kind of attack, it's just vulnerable.
However ... if it makes feel better, an approach I've use for very different purposes will work here: Choose a random odd increment and instead of incrementing by 1, increment by that random value. Send the increment as the first (encrypted, why not) block. This is about as fast and cheap as you can get, and if you're worried you're still revealing too much and may be leaving your cipher open to attack ... you really need to choose a better cipher.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140519/3027d93f/attachment.bin>
More information about the cryptography
mailing list