[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

counter mode

To: ipsec@lists.tislabs.com
Subject: counter mode
From: Helger Lipmaa <helger@tml.hut.fi>
Date: Tue, 3 Oct 2000 16:10:26 +0300 (EET DST)
Sender: owner-ipsec@lists.tislabs.com

A submission of me, Phil Rogaway and David Wagner to the AES Symmetric Key
Encryption Modes workshop is available from
http://www.tml.hut.fi/~helger/papers/lrw00.

There has been quite a lot of discussions and misunderstandings concerning
this mode. We tried to outline why most of the perceived disadvantages are
not valid. We also proposed the next somewhat foolproof usage scenario:
sender keeps a N-bit nonce that he increases at every packet transmission.
The actual counter is computed as

      N-bit nonce || 128-N bit block counter

N=64 makes the most sense security-wise; in standard IPSEC context one
could use N=32, where nonce = sequence number.

So let's hope counter mode will be accepted as standard. I know that many
people (also here) would love to incorporate it in their products.

Helger

Follow-Ups:

Re: counter mode

From: Stephen Kent <kent@bbn.com>

Re: counter mode

From: "David A. McGrew" <mcgrew@cisco.com>

Prev by Date: IPSec test suite
Next by Date: RE: Rijndael selected as AES
Prev by thread: RE: IPSec test suite
Next by thread: Re: counter mode
Index(es):
- Main
- Thread