Join Log in
Score:2
avatar Crypto

CTR overlap with random IV

cn flag
LightBit

Problem:

I'm slightly worried about counter repeats in CTR mode when using random IV.

  • If you split it (like half IV, half counter), it increases chances of same IV (it is smaller) and limits message length (if less than half).
  • If you start with full block IV, counters may overlap.

I would like to somehow get full block IV and half block counter without overlaps.

Proposed solution:

Instead of using random IV as nonce in counter we create new key by encrypting IV with key. We than use that new key for encryption. Counter starts with half zeros and with half of IV or with half of master key to make multi-target attacks harder.

Assume that key, IV, block cipher are all same size.

$k_{data} = E_{k_{master}}(IV)$

$keystream_i = E_{k_{data}}(half(IV) || counter_i)$

Is this any better/worse?

I'm worried this would weaken the key. Different key and IV combination would give same new key. But this is essentially like simple key derivation function with salt. This should allow every message to get up to birthday bound.

252
1 + 7
ctr
kelalaka avatar
in flag
kelalaka
There is already a guideline counter/LFSR [NIST 800-38-a](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf) and [AES CTR: Random IV](https://crypto.stackexchange.com/q/87064/18298)
1
Reply
cn flag
LightBit
First approach is perfect, but not practical. Second approach with random IV is kinda limited to number of messages or length of messages as mentioned.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
I think it is best to think of your construct as a KBKDF. In that case the question becomes: how secure is that KDF? But there are several things unclear to me. If you write $k = E_k(IV)$, do you mean that $k$ will be replaced? In that case you've created a stateful protocol. Normally you'd have a $k_{master}$ and multiple $k_{data}$. Furthermore, should we always assume 128 bit AES? A single block encrypt is not going to generate a 192 or 256 bit key.
1
Reply
cn flag
LightBit
Key is replaced only for a message. It does not change master key. I do assume that key is the same size as block cipher.
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
I don't know where that $half(k_{master})$ suddenly comes from, but generally you'd never include key information in your key stream. If I remember correctly you first just had a zero based counter.
0
Reply
cn flag
LightBit
I mentioned it as optional. This is to make multi-target attacks harder. It could also be $half(IV)$, but I thought $k_{master}$ is better because it is secret.
0
Reply
cn flag
LightBit
On second thought, I think $half(IV)$ would be safer. It is less likely to repeat.
0
Reply
Score:-1
Swashbuckler avatar Crypto
mc flag
Swashbuckler

If you can say there's a limit on the amount of data that gets encrypted in a single stream, you can split the IV into a random part and a counter part (e.g. 64 bits of random, generated once per stream) and the counter part (starting at 0). You can split it anyway you want, you just need to worry about the birthday problem for the random size.

Or just use a different key for each stream and start the counter at 0. Never need to worry about overlap in that situation.

0 + 5
cn flag
LightBit
Yes, but in that case with 64-bit random IV are kinda small. As described here: https://crypto.stackexchange.com/questions/1849/why-should-i-avoid-using-a-randomized-iv-for-ctr-mode
0
Reply
cn flag
LightBit
Do you think my proposed solution (deriving key from random IV) is as good as using different key for each stream?
0
Reply
Swashbuckler avatar
mc flag
Swashbuckler
@LightBit If you're running into the problem they're talking about you've got other bigger problems already. There's research that suggests that CTR mode is kind of leaky and you should be only encrypting as much data with ONE KEY as you do with CBC mode, which for me is around 64 GB (depending on how long you want to keep the data). That's way less data than they're considering.
0
Reply
Swashbuckler avatar
mc flag
Swashbuckler
As for deriving a key from a random IV, I wouldn't. The IV is not a secret, the key needs to be secret. If you used a fixed process for deriving the key from the IV then an attacker can repeat that process and get the key.
0
Reply
cn flag
LightBit
To derive key from IV I would encrypt it with master key. So derived key would be secret.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.