[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*From*: Patrick Chkoreff <pc AT fexl.com>*Subject*: Re: [Cryptography] Shortening block cipher length...*Date*: Mon, 19 Jul 2021 09:16:09 -0400*List-archive*: <https://www.metzdowd.com/pipermail/cryptography>*Sender*: "cryptography" <cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com>*To*: cryptography AT metzdowd.com

Ray Dillinger wrote on 7/17/21 12:23 PM:

What's wrong with 'counter mode' is that the ciphertext is the plaintext XOR some deterministic stream of bits. This is categorically wrong. This is old-style XOR stream cipher construction and should never ever be used anywhere.

Do you consider NaCl to be vulnerable in that regard? https://nacl.cr.yp.to/

stream_xor

It suffers from three categories of attack that proper ciphers do not. First, known or guessed plaintext exposes the deterministic stream of bits, which can then be inspected or attacked more easily. Second, known or guessed deterministic stream of bits (as happens when someone fails to initialize their PRNG properly) exposes plaintext. Third, an attacker can modify the plaintext arbitrarily at known bit positions and offsets regardless of the deterministic stream of bits. Controlling for, detecting, and preventing this sort of shenanigans makes XOR stream ciphers fragile - far too easy to get wrong and far too easy to make with usage limitations and requirements that users and implementors will inadvertently violate.

I wonder if DJB's philosophy regarding your points there is simply: 0. Do not reuse a nonce. 1. Do not reuse a nonce.

XOR stream ciphers, including counter mode, should be regarded as insecure. Not because they are based on flawed theory. But in practical terms making sure of all the steps and requirements to get what theory says you should, can go wrong too easily. Counter mode, classically, is P XOR E(Ctr) = C. Using the same set of operations the same number of times each you can implement a clearly superior counter mode E(P XOR Ctr) = C. This second mode suffers none of the above indignities and makes no sacrifice in efficiency. It dominates the original XOR counter mode in security vs. efficiency, requiring no new operations. Therefore there is no excuse for using the original XOR counter mode ever again.

-- Patrick _______________________________________________ The cryptography mailing list cryptography AT metzdowd.com https://www.metzdowd.com/mailman/listinfo/cryptography

**Follow-Ups**:**Re: [Cryptography] Shortening block cipher length...***From:*Ray Dillinger

**Re: [Cryptography] Shortening block cipher length...***From:*Peter Gutmann

**References**:**Re: [Cryptography] Shortening block cipher length...***From:*Sampo Syreeni

**Re: [Cryptography] Shortening block cipher length...***From:*Ray Dillinger

- Prev by Date:
**Re: [Cryptography] Shortening block cipher length...** - Next by Date:
**Re: [Cryptography] Shortening block cipher length...** - Previous by thread:
**Re: [Cryptography] Shortening block cipher length...** - Next by thread:
**Re: [Cryptography] Shortening block cipher length...** - Index(es):