what does "counter" mean exactly?
Counter per Wikipedia definition;
In digital logic and computing, a counter is a device that stores (and sometimes displays) the number of times a particular event or process has occurred
In CTR context; it is used to produce different inputs for the encryption, then the output is x-ored with the plaintext to produce a ciphertext. It is usually performed by incrementing, though one can use LFSR, too.
Is it the same as nonce
No, it is not the same as the nonce ( number used once)
The CTR mode combines nonce and counter, as the input to the cipher. The input is combined from two parts;
- nonce part; typically generated randomly per encryption session or by use of counter/LFSR.
- counter part; initially set zero, then incremented for every block encryption
With these we can have, randomized encryption and each block can produce a different output under the same key if we are using a PRP like AES ( PRF part is more complex and actually CTR is defined for PRFs since there is no need for the inverse)
"Typically the counter is initialized to some value and then incremented by 1 for each subsequent block (modulo $2^b$, where $b$ is the block size)". What does this statement mean exactly?
Consider that we have 64-bit nonce and 64-bit counter;
nonce counter
9237AF71A232BC82E4 0000000000000000
First block uses 9237AF71A232BC82E40000000000000000
as input, then the subsequent block uses as
nonce counter
9237AF71A232BC82E4 0000000000000001
9237AF71A232BC82E4 0000000000000002
9237AF71A232BC82E4 0000000000000003
9237AF71A232BC82E4 0000000000000004
... ...
9237AF71A232BC82E4 EFFFFFFFFFFFFFFF
9237AF71A232BC82E4 FFFFFFFFFFFFFFFF
... ...
9237AF71A232BC82E5 0000000000000000 ???
If you can encrypt $2^{64}$ blocks you will reach the end of the counter, depending on the case this can be dangerous.
If you continue from 0 counter 9237AF71A232BC82E40000000000000000
then you will have a nonce-reuse (two-time pad) issue in the CTR mode; confidentiality is lost. An observer can execute a manual crib-dragging even an automized one
If you continue increment than 9237AF71A232BC82E50000000000000000
you may hit another input that can turn into the two-time pad, too.
Stop there; actually, stop way before there if you use PRP instead of PRF.
Notes on different usages of the nonce IV term;
NIST definition uses counter as the whole input for the encryption.
Wikipedia makes a distinction. I've preferred Wikipedia's definition, In the GCM case, NIST uses IV and counter separately.
Lindell&Katz, on their book, uses IV as the $3n/4$ part of the block size and $1/4$ as for the counter. The encryption is defined as $y_i := F_k (IV || \langle i \rangle)$ They show that if the IV is uniformly selected then the IV reuse is a negligible event. Therefore CTR mode is CPA secure.