Cryptography Reference
In-Depth Information
permutation. In this mode the decryption function of the block cipher is not used and
this allows the block cipher to be replaced by a one-way function in some applications.
OFB mode is highly vulnerable to an attack by an active adversary who knows
a plaintext block
m
i
corresponding to the ciphertext block
c
i
. The adversary may
then choose another plaintext block
x
and replace the ciphertext block
c
i
by
c
i
=
c
i
. Then the honest user will decrypt
c
i
by computing
c
i
⊕
x
⊕
m
i
⊕
r
i
=
x
⊕
m
i
⊕
c
i
⊕
x
. The best way to prevent this type of attack is by using
some authentication scheme, as we will see in the next chapter; such a scheme would
alert the honest user that the ciphertext has been tampered with. In fact, as a general
rule to defend against active attacks, encryption should always be accompanied by
authentication.
r
i
=
x
⊕
m
i
⊕
m
i
=
4.3.1.5 Counter Mode
Counter mode (CTR) is similar to OFB in that a stream of input blocks is generated
and these blocks are Xor-ed with the message blocks to produce the ciphertext. The
stream is generated by considering a sequence of
counters
, which are all distinct, and
applying the forward cipher function to these counters. The counters are obtained
from an initial counter (called also an IV since it plays a similar role to the IV of
other modes) by regarding them as (the binary expansions of) integers and generating
each new counter by adding 1mod 2
n
, where
n
is the block length of the underlying
block cipher, to the preceding one (hence the “counter” name). There are different
versions of CTR depending on how the initial counter is generated. One possibility
is to choose it at random in
n
and another is to use a non-random nonce but,
in any case, all the counter values must always be distinct across all the messages
encrypted with a given key. The CTR encryption algorithm is the following:
{
0
,
1
}
Algorithm 4.9. CTR encryption
.
Input
:An
l
-block message
m
=
m
1
...
m
l
, and a block cipher key
k
.
Output
: The ciphertext
Enc
(
k
,
m
)
=
c
1
...
c
l
.
Initialization
:
ctr
n
, chosen at random.
Key Stream Computation
:
r
0
←{
0
,
1
}
ctr
;
for
i
from
1
to
l
do
r
i
:=
F
k
(
ctr
+
i
)
end do
;
Encryption
:
for
i
from
1
to
l
do
c
i
:=
:=
m
i
⊕
r
i
end do
;
return
c
1
...
c
l
.
