Hashing a counter to prevent distinguishers in CTR mode












3












$begingroup$


Because a block cipher is a PRP and thus bijective, the fact that the input in CTR mode never repeats means that each block of keystream will be unique. This creates a distinguisher from random data following the birthday bound if enough data is encrypted even before the counter repeats, especially if the block size is too small. Stream ciphers like ChaCha20 avoid this issue by feeding a counter into a PRF instead of a PRP, meaning blocks of keystream will repeat according to the birthday bound.



Is it feasible to mitigate this problem with a PRP by feeding the nonce and counter through a very fast and deterministic hashing function first? Because the input to the block cipher is not secret in CTR mode, it would not need to be a secure hash function. All it would need to do is admit collisions due to the birthday bound, allowing for a repeating block in the keystream after roughly $2^{n/2}$ blocks.



Is this correct? If so, what is the fastest hash function which has the required properties?










share|improve this question









$endgroup$








  • 2




    $begingroup$
    I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
    $endgroup$
    – Ella Rose
    Jan 28 at 6:01






  • 1




    $begingroup$
    If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
    $endgroup$
    – Richie Frame
    Jan 28 at 10:11












  • $begingroup$
    Combination of two stream ciphers may offer some further insight...
    $endgroup$
    – Paul Uszak
    Jan 28 at 22:18
















3












$begingroup$


Because a block cipher is a PRP and thus bijective, the fact that the input in CTR mode never repeats means that each block of keystream will be unique. This creates a distinguisher from random data following the birthday bound if enough data is encrypted even before the counter repeats, especially if the block size is too small. Stream ciphers like ChaCha20 avoid this issue by feeding a counter into a PRF instead of a PRP, meaning blocks of keystream will repeat according to the birthday bound.



Is it feasible to mitigate this problem with a PRP by feeding the nonce and counter through a very fast and deterministic hashing function first? Because the input to the block cipher is not secret in CTR mode, it would not need to be a secure hash function. All it would need to do is admit collisions due to the birthday bound, allowing for a repeating block in the keystream after roughly $2^{n/2}$ blocks.



Is this correct? If so, what is the fastest hash function which has the required properties?










share|improve this question









$endgroup$








  • 2




    $begingroup$
    I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
    $endgroup$
    – Ella Rose
    Jan 28 at 6:01






  • 1




    $begingroup$
    If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
    $endgroup$
    – Richie Frame
    Jan 28 at 10:11












  • $begingroup$
    Combination of two stream ciphers may offer some further insight...
    $endgroup$
    – Paul Uszak
    Jan 28 at 22:18














3












3








3


2



$begingroup$


Because a block cipher is a PRP and thus bijective, the fact that the input in CTR mode never repeats means that each block of keystream will be unique. This creates a distinguisher from random data following the birthday bound if enough data is encrypted even before the counter repeats, especially if the block size is too small. Stream ciphers like ChaCha20 avoid this issue by feeding a counter into a PRF instead of a PRP, meaning blocks of keystream will repeat according to the birthday bound.



Is it feasible to mitigate this problem with a PRP by feeding the nonce and counter through a very fast and deterministic hashing function first? Because the input to the block cipher is not secret in CTR mode, it would not need to be a secure hash function. All it would need to do is admit collisions due to the birthday bound, allowing for a repeating block in the keystream after roughly $2^{n/2}$ blocks.



Is this correct? If so, what is the fastest hash function which has the required properties?










share|improve this question









$endgroup$




Because a block cipher is a PRP and thus bijective, the fact that the input in CTR mode never repeats means that each block of keystream will be unique. This creates a distinguisher from random data following the birthday bound if enough data is encrypted even before the counter repeats, especially if the block size is too small. Stream ciphers like ChaCha20 avoid this issue by feeding a counter into a PRF instead of a PRP, meaning blocks of keystream will repeat according to the birthday bound.



Is it feasible to mitigate this problem with a PRP by feeding the nonce and counter through a very fast and deterministic hashing function first? Because the input to the block cipher is not secret in CTR mode, it would not need to be a secure hash function. All it would need to do is admit collisions due to the birthday bound, allowing for a repeating block in the keystream after roughly $2^{n/2}$ blocks.



Is this correct? If so, what is the fastest hash function which has the required properties?







ctr distinguisher






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 28 at 4:03









forestforest

4,55811743




4,55811743








  • 2




    $begingroup$
    I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
    $endgroup$
    – Ella Rose
    Jan 28 at 6:01






  • 1




    $begingroup$
    If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
    $endgroup$
    – Richie Frame
    Jan 28 at 10:11












  • $begingroup$
    Combination of two stream ciphers may offer some further insight...
    $endgroup$
    – Paul Uszak
    Jan 28 at 22:18














  • 2




    $begingroup$
    I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
    $endgroup$
    – Ella Rose
    Jan 28 at 6:01






  • 1




    $begingroup$
    If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
    $endgroup$
    – Richie Frame
    Jan 28 at 10:11












  • $begingroup$
    Combination of two stream ciphers may offer some further insight...
    $endgroup$
    – Paul Uszak
    Jan 28 at 22:18








2




2




$begingroup$
I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
$endgroup$
– Ella Rose
Jan 28 at 6:01




$begingroup$
I think it would need to be a secure hash function, otherwise we could force it to generate identical key streams at will.
$endgroup$
– Ella Rose
Jan 28 at 6:01




1




1




$begingroup$
If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
$endgroup$
– Richie Frame
Jan 28 at 10:11






$begingroup$
If you want to use AES or a typical block cipher, the solution to this problem is dual CTR streams with different keys, but identical inputs. It is still reversible but no longer has guaranteed block uniqueness, and you get to use the primitive you already have (at half speed). And while block uniqueness is very important in CTR mode, it is not in dual CTR, because the location of duplicates is key dependent and pseudorandom, just like the block cipher output. $CTR_{k1}(nonce+counter) oplus CTR_{k2}(nonce+counter)$
$endgroup$
– Richie Frame
Jan 28 at 10:11














$begingroup$
Combination of two stream ciphers may offer some further insight...
$endgroup$
– Paul Uszak
Jan 28 at 22:18




$begingroup$
Combination of two stream ciphers may offer some further insight...
$endgroup$
– Paul Uszak
Jan 28 at 22:18










1 Answer
1






active

oldest

votes


















7












$begingroup$

I'm reading the question as generating a keystream per: $S_igets E_K(F(mathrm{IV},i))$ where $F$ is a public function built from a hash function; for incremental index $i$ starting from $0$ and public random $mathrm{IV}$, with $F$ having a sizable collision rate when $i$ varies; and for $E$ a block cipher with secret key $K$.



That is quite insecure: the location of the collisions, that is values of $i$, $j$ with $ine j$ and $F(mathrm{IV},i)=F(mathrm{IV},j)$, can be found by an adversary from the public $mathrm{IV}$. And then knowledge that $K_i=K_j$ can be used to mount an attack allowing decryption of some plaintext fragment from partially known plaintext.






share|improve this answer











$endgroup$













    Your Answer





    StackExchange.ifUsing("editor", function () {
    return StackExchange.using("mathjaxEditing", function () {
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    });
    });
    }, "mathjax-editing");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "281"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66836%2fhashing-a-counter-to-prevent-distinguishers-in-ctr-mode%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    7












    $begingroup$

    I'm reading the question as generating a keystream per: $S_igets E_K(F(mathrm{IV},i))$ where $F$ is a public function built from a hash function; for incremental index $i$ starting from $0$ and public random $mathrm{IV}$, with $F$ having a sizable collision rate when $i$ varies; and for $E$ a block cipher with secret key $K$.



    That is quite insecure: the location of the collisions, that is values of $i$, $j$ with $ine j$ and $F(mathrm{IV},i)=F(mathrm{IV},j)$, can be found by an adversary from the public $mathrm{IV}$. And then knowledge that $K_i=K_j$ can be used to mount an attack allowing decryption of some plaintext fragment from partially known plaintext.






    share|improve this answer











    $endgroup$


















      7












      $begingroup$

      I'm reading the question as generating a keystream per: $S_igets E_K(F(mathrm{IV},i))$ where $F$ is a public function built from a hash function; for incremental index $i$ starting from $0$ and public random $mathrm{IV}$, with $F$ having a sizable collision rate when $i$ varies; and for $E$ a block cipher with secret key $K$.



      That is quite insecure: the location of the collisions, that is values of $i$, $j$ with $ine j$ and $F(mathrm{IV},i)=F(mathrm{IV},j)$, can be found by an adversary from the public $mathrm{IV}$. And then knowledge that $K_i=K_j$ can be used to mount an attack allowing decryption of some plaintext fragment from partially known plaintext.






      share|improve this answer











      $endgroup$
















        7












        7








        7





        $begingroup$

        I'm reading the question as generating a keystream per: $S_igets E_K(F(mathrm{IV},i))$ where $F$ is a public function built from a hash function; for incremental index $i$ starting from $0$ and public random $mathrm{IV}$, with $F$ having a sizable collision rate when $i$ varies; and for $E$ a block cipher with secret key $K$.



        That is quite insecure: the location of the collisions, that is values of $i$, $j$ with $ine j$ and $F(mathrm{IV},i)=F(mathrm{IV},j)$, can be found by an adversary from the public $mathrm{IV}$. And then knowledge that $K_i=K_j$ can be used to mount an attack allowing decryption of some plaintext fragment from partially known plaintext.






        share|improve this answer











        $endgroup$



        I'm reading the question as generating a keystream per: $S_igets E_K(F(mathrm{IV},i))$ where $F$ is a public function built from a hash function; for incremental index $i$ starting from $0$ and public random $mathrm{IV}$, with $F$ having a sizable collision rate when $i$ varies; and for $E$ a block cipher with secret key $K$.



        That is quite insecure: the location of the collisions, that is values of $i$, $j$ with $ine j$ and $F(mathrm{IV},i)=F(mathrm{IV},j)$, can be found by an adversary from the public $mathrm{IV}$. And then knowledge that $K_i=K_j$ can be used to mount an attack allowing decryption of some plaintext fragment from partially known plaintext.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 29 at 16:06

























        answered Jan 28 at 7:05









        fgrieufgrieu

        81.8k7178349




        81.8k7178349






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66836%2fhashing-a-counter-to-prevent-distinguishers-in-ctr-mode%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

            SQL update select statement

            'app-layout' is not a known element: how to share Component with different Modules