[Cryptography] Shortening block cipher length...
Ray Dillinger
bear at sonic.net
Sat Jul 17 12:23:45 EDT 2021
On 7/8/21 4:24 AM, Sampo Syreeni wrote:
> On 2021-03-29, Peter Gutmann wrote:
>
>>> For that matter, what's wrong with Counter Mode?
>>
>> It turns any strong block cipher into the functional equivalent of
>> RC4. So what you're saying there is "what's wrong with RC4"?
>
> Functional equilent of RC4, isn't the same as RC4, as a bad cipher.
>
> If you substitute a better cipher for RC4 in said construction,
> suddently it can become secure as fuck.
What's wrong with 'counter mode' is that the ciphertext is the
plaintext XOR some deterministic stream of bits. This is categorically
wrong. This is old-style XOR stream cipher construction and should
never ever be used anywhere.
It suffers from three categories of attack that proper ciphers do
not. First, known or guessed plaintext exposes the deterministic
stream of bits, which can then be inspected or attacked more easily.
Second, known or guessed deterministic stream of bits (as happens when
someone fails to initialize their PRNG properly) exposes plaintext.
Third, an attacker can modify the plaintext arbitrarily at known bit
positions and offsets regardless of the deterministic stream of bits.
Controlling for, detecting, and preventing this sort of shenanigans
makes XOR stream ciphers fragile - far too easy to get wrong and far too
easy to make with usage limitations and requirements that users and
implementors will inadvertently violate.
XOR stream ciphers, including counter mode, should be regarded as
insecure. Not because they are based on flawed theory. But in practical
terms making sure of all the steps and requirements to get what theory
says you should, can go wrong too easily.
Counter mode, classically, is P XOR E(Ctr) = C. Using the same set
of operations the same number of times each you can implement a clearly
superior counter mode E(P XOR Ctr) = C. This second mode suffers none
of the above indignities and makes no sacrifice in efficiency. It
dominates the original XOR counter mode in security vs. efficiency,
requiring no new operations. Therefore there is no excuse for using the
original XOR counter mode ever again.
Bear
More information about the cryptography
mailing list