Re: ECB-Counter AES mode

On 2008-11-28, Karl Malbrain <malbrain@xxxxxxxxx> wrote:
Is there an obvious weakness I'm overlooking in empressing a sequential
counter value over the plain text block with XOR prior to AES encryption and
removing the counter value after AES decryption?

Others have already noted that this may still leak information if the
plaintext blocks happen to contain an arithmetic progression.

However, the question I'd like to ask is: if your application allows
you to do

ciphertext = AES(plaintext XOR counter; key),

why can't you instead do

ciphertext = plaintext XOR AES(counter; key)?

Then you'd be using a standard block cipher mode (CTR) with well
established security properties.

--
Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.
.

Relevant Pages

  • Re: Authenticating encrypted messages?
    ... > therefore any change in the ciphertext cancels out and leaves ... if one uses modular addition in place of XOR. ... In my follow-up to Gregory Rose, I wrote "using the modular ... sum of all preceding ciphertext and plaintext blocks ...
    (sci.crypt)
  • Re: Help me understand Tweakable Block Cipher / LRW
    ... >encryption. ... XOR the computed value hwith the ... Why is the ciphertext further processed by ... theory or theoretical computer science. ...
    (sci.crypt)
  • Re: byte inversion in ciphertext
    ... decryption, resulting in a large expenditure of work. ... Ci = Pi xor K xor N xor Ci-1 ... so if k is the length of the ciphertext then if the ciphertext is 384 bytes ...
    (sci.crypt)
  • Re: Simple cipher program help
    ... For the first round, calculate ... L= R xor ... Land Rto make the 64-bit ciphertext. ... Then combine Land Rto yield the 64-bit plaintext. ...
    (sci.crypt)
  • Re: stream ciphers
    ... > You take each byte of keystream and combine it with a byte of ... > plaintext to get a byte of ciphertext. ... Xor is comfortable as P xor K xor K = P. That's probably why it's the ...
    (sci.crypt)
Loading