Key material in the counter in counter mode

[pink aka Chr. Boesgaard]

Can the counter be used to let the cipher use a larger key?

Like using DES with say 32 bits of possible start values of the
counter to give a key of 32+56 bits (ignoring eventual problems with
the keysize being larger than the block size)?

I could not find any info on this, so I have no idea if it is an
acceptable or a bad idea.

--
Christian Boesgaard

[Paul Crowley]

No. Given C_0 = E_k(i), C_1 = E_k(i+1), it's very easy to check a
guess at k without having to guess i: just check that
D_k(C_0) +1 = D_k(C_1).

Use a cipher that inherently takes a larger key, such as AES or 3DES.
--
__ Paul Crowley
\/ o\ s...@paul.ciphergoth.org
/\__/ http://www.ciphergoth.org/

[Joėl Bourquard]

I have a related question: when using AES in counter mode, with a key that
will not be re-used, is there a drawback in using a zero initial counter (as
opposed to using a random initial counter, stored in the clear) ?

J.B

[Paul Crowley]

No, this should be fine. See

http://csrc.nist.gov/encryption/modes/proposedmodes/ctr/ctr-spec.pdf

Of course if the key is re-used it's a disaster...

[Joėl Bourquard]

"Paul Crowley" <pa...@JUNKCATCHER.ciphergoth.org> wrote in message
news:871ydpg...@saltationism.subnet.hedonism.cluefactory.org.uk...

>
> No, this should be fine. See
>
> http://csrc.nist.gov/encryption/modes/proposedmodes/ctr/ctr-spec.pdf
>
> Of course if the key is re-used it's a disaster...

Agreed.
Thanks for the confirmation though.

Of course, this security relies on the assumption that AES is a secure
cipher (i.e, it has no problems when most plaintext blocks have tiny Hamming
differences).

Regards,
J.B