[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: counter mode

To: Helger Lipmaa <helger@xxxxxxxxxx>
Subject: Re: counter mode
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 3 Oct 2000 14:32:45 -0400
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Helger,

A submission of me, Phil Rogaway and David Wagner to the AES Symmetric Key
Encryption Modes workshop is available from
http://www.tml.hut.fi/~helger/papers/lrw00.

There has been quite a lot of discussions and misunderstandings concerning
this mode. We tried to outline why most of the perceived disadvantages are
not valid. We also proposed the next somewhat foolproof usage scenario:
sender keeps a N-bit nonce that he increases at every packet transmission.
The actual counter is computed as

      N-bit nonce || 128-N bit block counter

N=64 makes the most sense security-wise; in standard IPSEC context one
could use N=32, where nonce = sequence number.

So let's hope counter mode will be accepted as standard. I know that many
people (also here) would love to incorporate it in their products.

I have some trouble reconciling your suggestion above with the proposal in the workshop paper. That paper seems to suggest a 64 bit counter value, followed by 64 zero bits, to form a 128-bit counter. Above, you seem to suggest a 32-bit counter transmitted with each packet, taken from the sequence number field, and a 96-bit block counter. You don't indicate whether this latter counter is purely intra-packet, or whether it is stateful for all packets received on an SA.

The pipelining that is an attraction of counter mode can be effected so long as there is a part of the counter that generates enough key stream to
cover the largest single packet, measured in the block size of the cipher. That part of the counter is purely internal to the endpoints and need not be transmitted, and thus need not waste any space in an encrypted packet. For example, 16 bits of counter are more than sufficient to cover a max size IP datagram, using an 8 or 16 byte codebook. If this value is purely intra-packet, then there is no need to maintain state for it at sender or receiver, right? That's why I raise the question about the size of the block counter above, and ask whether it is stateful. I get the feeling (in part from your paper) that you might view this latter value as stateful, but that seems to add unnecessary complexity to each end.

The 32-bit per-packet counter one gets from the ESP sequence number is nominally big enough for IPsec use of this mode, since we don't allow the counter to cycle, and the creation of a new SA with a new key avoids compromise in depth concerns. But, if we want to, one could carry additional counter bits or even an explicit IV, just as we do for CBC mode today (so long as there is confidence that the IV will be unique on a per SA basis).

Using the lengths of these field values, and if one needs a 128-bit counter value for AES the format might look like this:

IV or high order cntr bits || ESP seq # || intra-packet cntr || zeros

The IV or high order counter bits could be as few as 2 or as many as 8 bytes (we already accommodate 8-byte IVs for CBC), leaving the zero field to be 2-8 bytes. The use of a purely intra-packet counter allows all the performance benefits one wants from counter mode, but without devoting any per-packet space to carry the bits.

Steve

Follow-Ups:
- Re: counter mode
  - From: Helger Lipmaa
- Re: counter mode
  - From: Bill Sommerfeld

References:
- counter mode
  - From: Helger Lipmaa

Prev by Date: Re: Rijndael selected as AES
Next by Date: Assigned Numbers for AES
Previous by thread: counter mode
Next by thread: Re: counter mode
Index(es):
- Date
- Thread