[Cryptography] Odd bit of security advice
Dennis E. Hamilton
dennis.hamilton at acm.org
Tue Jun 5 17:36:52 EDT 2018
[mailto:cryptography-bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf
Of Christian Huitema
Sent: Monday, June 4, 2018 19:44
To: Jerry Leichter <leichter at lrw.com>
Cc: Cryptography Mailing List <cryptography at metzdowd.com>
Subject: Re: [Cryptography] Odd bit of security advice
[ ... ]
> Note that it
> is not acceptable to use a truncation of a counter encrypted with a
> 128-bit or 256-bit cipher, because such a truncation may repeat after
> a short time."
> It's that last comment - that the bottom 64 bits of a counter encrypted with
> a 128- or 256-bit cipher may repeat after a short time - that really puzzles
> me. Surely any 128- or 256-bit cipher with this property would immediately
> fail certification, as it would be easily distinguishable from a random
> What am I missing?
You are missing the birthday paradox. Encrypting a counter is a bijection
that guarantees uniqueness. Truncating the encryption yields a random number
that has no such guarantee.
I think the use of word "repeat" is the problem. It won't repeat, as with a
cyclic generator, but duplicates will show up, in some haphazard manner, and
that undermines the objective. Isn't that the birthday-paradox connection?
More information about the cryptography