[Cryptography] Question re: Initialization Vector for AES Counter Mode…

Jerry Leichter leichter at lrw.com
Sun Apr 30 18:07:18 EDT 2017


> 
>> A reasonable protection from bitflipping, if you want something that
>> works like a counter mode, doubles the work of encryption/decryption.
>> That is to separately encrypt the plaintext and the counter, and let the
>> ciphertext be the XOR of the result.  To decrypt, one encrypts the
>> counter, XORs the result with the ciphertext, then decrypts the result
>> to get the plaintext.
> 
> Why not just add the counter to the key and then encrypt?
Two reasons come to mind.  First, key setup is fairly expensive.  Changing the key every block is generally not a good way to go - though if you get get enough security, it might be worth it.  But ... second, you're deliberately creating a situation in which successive blocks are encrypted by closely related keys.  This can be hazardous, as related key attacks are known (though how significant they are against typical uses of AES is another question).
                                                        -- Jerry



More information about the cryptography mailing list