[Cryptography] Odd bit of security advice

Dennis E. Hamilton dennis.hamilton at acm.org
Tue Jun 5 17:36:52 EDT 2018

-----Original Message-----
From: cryptography 
[mailto:cryptography-bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf 
Of Christian Huitema
Sent: Monday, June 4, 2018 19:44
To: Jerry Leichter <leichter at lrw.com>
Cc: Cryptography Mailing List <cryptography at metzdowd.com>
Subject: Re: [Cryptography] Odd bit of security advice

[ ... ]
> Note that it
> is not acceptable to use a truncation of a counter encrypted with a
> 128-bit or 256-bit cipher, because such a truncation may repeat after
> a short time."
> It's that last comment - that the bottom 64 bits of a counter encrypted with 
> a 128- or 256-bit cipher may repeat after a short time - that really puzzles 
> me.  Surely any 128- or 256-bit cipher with this property would immediately 
> fail certification, as it would be easily distinguishable from a random 
> permutation.
> What am I missing?
[Christian]                                        --
You are missing the birthday paradox.   Encrypting a counter is a bijection 
that guarantees uniqueness. Truncating the encryption yields a random number 
that has no such guarantee.

I think the use of word "repeat" is the problem.  It won't repeat, as with a 
cyclic generator, but duplicates will show up, in some haphazard manner, and 
that undermines the objective.  Isn't that the birthday-paradox connection?

More information about the cryptography mailing list