Join Log in
Score:0
jared chong avatar Crypto

How to use nonce, counter, and IV in AES-256-CTR?

id flag
jared chong

preface: i am not cryptographically savvy. there are similar questions on this board but they do not give the answer i need.

how do i construct a valid IV, given a nonce? What does this have to do with a counter?

im doing 2-way communication with a bluetooth module (it is the server to my phone's client) and its data is encrypted using AES-256-CTR with a 32B key and a 128-bit (16B) counter. after successful login, i am given the 32B key and a 96-bit (12B) nonce.

the lib i use for decryption requires an IV. i don't fully understand what it is, but i've tried concatenating the 12B nonce with '00 00 00 01' (hex) to make the counter, and use that as the IV. no dice.

how i'm testing, is i'm going through the module's API to relay "hello world" via bluetooth from the server. the client receives an encrypted string as expected, but the same "hello world" is encrypted into something different each time.

more details available if needed!

412
1 + 4
aes
ctr
forest avatar
vn flag
forest
IV is just another word for nonce in CTR.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
@forest Usually the nonce is smaller than the IV; it only consist of the higher order bits. Having a random nonce the size of the full counter makes no sense because you may need to encrypt fewer bits to run into a collision. If the last part is all zero bits then at least you know the amount of space between two subsequent nonces.
0
Reply
forest avatar
vn flag
forest
@MaartenBodewes I've always heard the two being interchangeable, unless you're talking about the actual input to the block cipher itself rather than parameters to the block cipher in CTR mode?
0
Reply
kelalaka avatar
in flag
kelalaka
@forest actually, NIST calls them only counter-block, [page 16 and also see 19](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf) and
0
Reply
Score:2
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

how do i construct a valid IV, given a nonce? What does this have to do with a counter?

You may not expect this, but it depends; multiple schemes are equally secure (e.g. big endian vs little endian). Generally though the counter value is a 128 bit unsigned big endian integer. The nonce is the most significant (leftmost) part of that integer.

Furthermore, the initial low part of the counter would start at (all) zero - not one as in your example.

So you'd have:

NNNNNNNN NNNNNNNN NNNNNNNN 00000000

as starting value (as hexadecimals, where N represents some hex digit of the nonce), where the left is the most significant part. Of course this is the case with a 96 bit nonce and a 32 bit counter. This starting value is commonly called the IV.

As the size of the nonce may vary many libraries, usually the increase of the counter is done modulus $2^{128}$, with the disadvantage that an overflow in the lowest 32 bit will affect the nonce. It is usually up to the user of the AES library to test this (but you'd need $2^{32} * 16 = 64 \text{GiB}$ or almost $69 \text{GB}$ to get there).

but the same "hello world" is encrypted into something different each time

Yeah, so most likely the nonce changes every time. Either that or the key changes, or even both the key and the nonce.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.