[Botan-devel] AES/CTR-BE nonces

Jack Lloyd lloyd at randombit.net
Tue Jul 20 16:33:06 EDT 2010

On Sat, Jul 17, 2010 at 08:41:40AM -0400, Jack Lloyd wrote:
> On Sun, Jul 11, 2010 at 09:40:24PM -0400, jonny ram wrote:
> > When performing AES-256 encryption in CTR mode, should nonces be considered
> > synonymous with initialization vectors?
> Yes, they are equivalent terms for the same thing.

I was somewhat wrong here. Nonce suggests that as long as they don't
repeat, this is sufficient. However, counter mode has stricter
requirements; if you used both N and N+1 as CTR IVs with the same key,
then you'll end up with duplicated keystream output (just offset by a
block in the two messages), which would be quite easy to detect and
exploit to recover data.

This is less of a problem, actually, if you use shorter IVs. For
instance if you used a 96 bit IV with a 128 bit block cipher in CTR
mode, then the low 32 bits of the counter will be (implicitly) zero,
and all the incrementing will happen in that low zero space. In this
case (as long as you didn't encrypt more than 2^32 blocks (64 GiB)
with a single IV), you could in fact use a counter as the IV (though
probably a randomly chosen IV would still be better).


More information about the botan-devel mailing list