[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: draft-ietf-ipsec-ciph-aes-ctr-00.txt

To: "'mcgrew@cisco.com'" <mcgrew@cisco.com>
Subject: re: draft-ietf-ipsec-ciph-aes-ctr-00.txt
From: Klaus Helbig <kfh@zyfer.com>
Date: Thu, 25 Jul 2002 14:45:43 -0700
Cc: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com


David,

yes, I agree with you, I can not see any reason to use an external IV for
AES CTR if algorithms easy can be defined for internal building of IV's with
ESP sequence number and SPI. The only cryptographic requirement for the
sequence of IV's is, that all the counter values, derived from all the IV's
over all the ESP packets, transformed by AES, are different as long as one
fixed key is used.

Or more mathematical: 

Assume IV(i) with i=1,2,... is the sequence of IV's being used for the
sequence of ESP packets ESP(i) with i=1,2,...  and M is the maximal number
of blocks of block size 128 bit allowed in an ESP packet. Assume CV(i,j)
with j=1,2,...,M is the sequence of counter values for the ESP packet
ESP(i), derived from IV(i) for i=1,2,.... The requirement then is for each
fixed key

   CV( i, j ) != CV( k, l ) 	
        
         for all ( i, j ) != ( k, l ) with  (i,k > 0), (0 < j,l <= M).


Might I'm wrong but I think no reason exists to state "that no more than
2^64 blocks of block size 128 bits should be encrypted with any fixed key"
as long as the requirement above is fulfilled. What means birthday attack in
connection to the counter mode? I guess it means following. When more than
2^64 blocks have been encrypted with any fixed key then with higher
probability exist equal block keys

   AES(Key, CV(i,j)) = AES(Key, CV(k,l)) for any (i,j) != (k,l) 

to encrypt the different plaintext blocks P(i,j) and P(k,l).

How this property can be used? 
You must build all the xor sums (here + is used) of ciphertext blocks

   C(i,j)+C(k,l) = P(i,j)+AES(Key,CV(i,j))+P(k,l)+AES(Key,CV(k,l))
			
and test all this sums by statistical criteria's whether is 	

  C(i,j)+C(k,l) = P(i,j)+P(k,l) 

because of 

  AES(Key, CV(i,j)) = AES(Key, CV(k,l))  for any (i,j) != (k,l).

When you find such a pair of ciphertext blocks you get information about the
plaintexts P(i,j) and P(k,l). 

I presume this attack is not applicable, in difference to the birthday
attack by CBC where you can easy recognize identical ciphertext blocks and
use this for the attack.


Best regards

Klaus F. Helbig	
VP Engineering
Zyfer, Inc.
(714) 780 7134
[mailto: kfh@zyfer.com]

Follow-Ups:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "David A. Mcgrew" <mcgrew@cisco.com>

Prev by Date: Re: Vendor Extensions
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Index(es):
- Date
- Thread