Cryptography Reference
In-Depth Information
4.5.2 Encryption and Decryption with OFB and CTR
In the previous sections we built encryption and decryption functions for OFB and
CTR modes, using AES as block cipher. These functions only accept messages
given as lists of bytes and now we are going to define higher level functions that can
encrypt and decrypt real messages using these modes of operation. Both OFB and
CTR use an IV. In the case of OFB, the IV must be a nonce, i.e., it must be unique
for each execution of the mode under a given key. For CTR, the IV (called, in this
case, the initial counter) must be chosen so that all counters are different from each
other across all of the messages that are encrypted under a given key (in both cases,
except possibly with negligible probability). In the case of CTR we have seen in the
proof of Theorem 4.1 that non-repetition of counter values ensures that an adversary
has negligible advantage in an IND-CPA attack against this mode, assuming that the
underlying block cipher is a pseudo-random permutation (similarly, CPA security for
OFB with a nonce as IV can be proved as in the first part of the proof of Theorem 4.1,
because then the keystream generated behaves like a one-time pad). In the same proof
we have also seen that, if the initial counter is randomly chosen, then the probability
of a repeated counter value is negligible and, as a consequence, the adversary's
advantage in an IND-CPA attack is also negligible. Thus, for both modes, choosing
a random IV is sufficient to ensure that the required conditions are satisfied except
possibly with negligible probability. However, since generating random IVs requires
a physical source of entropy, we are going to give Maple functions that also offer the
possibility to generate these initialization vectors in a different way that is sufficient
to ensure that, in this restricted environment, the non-repetition conditions mentioned
above are satisfied.
Other than choosing it at random, a common technique to obtain a nonce is based
on using a timestamp, i.e., a sequence of bytes obtained from the date/time at which
the nonce is generated. Since Maple only retrieves the current date/time up to the
second, in order to obtain a nonce we will add values obtained from one of Maple's
pseudo-randomalgorithms. The only purpose of these values is to prevent a repetition
of the IV value if several encryptions are done within the same second (as the nonce
will be generated at encryption time) and so we do not need to worry about the seed
being non-random in this case.
Taking into account these remarks, the next function generates a nonce of length
n
(i.e., a list of
n
bytes) as follows. Using
StringTools:-FormatTime
with
the appropriate format string and then using
sscanf
, a list of six bytes is obtained,
corresponding to the last two digits of the year, the month of the year, the day of the
month, the hour (in 24-hour clock format), the minute and the second. This sequence
of six bytes is then completed with
n
6 pseudo-randomly generated bytes. Note
that it would be a mistake to initialize the generator each time that
nonce()
is
invoked because, since the seed is taken from the system clock, this would allow the
possibility of obtaining two equal values in succession. On the other hand, a repeated
value could possibly be obtained if several computers are simultaneously used (or
−
