I agree with you about the way to build the initial "ctr" value from the "nonce" value. My question is different : whithin the encryption of a whole plaintext message (so a big block to be divided into 128 bit length blocks) , why to increment ctr by 2^64 instead of 1 from block to block ?
My understanding of the operation is : - increment nonce by one from messages to messages (so this is a 2^64 step if considering ctr) - but for each message: - build initial ctr from the nonce value - increment ctr by 1 from block to block Thierry boivin At 07:23 06/06/03 -0700, you wrote: >Thierry Boivin wrote: >>Hello, >>I am trying to play with AES crypto in counter mode. Using the crypto library >>against reference vectors found in IPSec RFC fails until the incrementation >>function (AES_ctr128_inc()) is modified in order to get a +1 step instead of a +2^64 >>step. Where does the actual "increment by 2^64" come from ? > >Read the documents on AES counter mode. The counter is a 64-bit >counter but the blocksize is 128, and the convention is that the >counter is a Big Endian number with only the MSW used. > >[from Lipmaa, Rogaway & Wagner] > > In the recommended usage scenario, the party encrypting maintains an > integer counter, nonce, initially 0, and produces the string ctr as > the 128-bit string which encodes the number nonce * 2^64. > >Don't ask me *why* it's that way -- the choice of a mere 64 bits is >clearly done in order to avoid a well-known attack against stream ciphers, >since one can begin to distinguish a stream from random after 2^90 or so >samples. > >Maybe the Big Endian choice is a subtle protest against Wintel? > >-- > >"Well," Brahma said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent man requires only two thousand five hundred." > - The Mahabharata > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >Development Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]