AES Counter support

[reaperhulk]

• vectors from RFC 3686
• Documentation for the mode

[alex]

Are there really common OpenSSL's which don't support AES CTR?

[reaperhulk]

Any OpenSSL pre 1.0.0, which includes every default OS X (have you brew installed openssl yet? :))

[coveralls]

Coverage remained the same when pulling 389892f on reaperhulk:ctr-support into 169dee8 on pyca:master.

[alex]

I think this last sentence should be removed, I'm not sure it adds a lot of clarity/.

[reaperhulk]

I'm fine with that. It's not easy to read without decent formatting and it will be entirely opaque to most people anyway.

[dstufft]

I thought CTR only needed unique bytes? E.g. you can implement it by incrementing a counter.

[reaperhulk]

You absolutely can. The advantage of starting with a purely random nonce is that even if you're reusing your keys the probability of reusing a counter value is lowered (although obviously non-zero and increasing as the size of the encrypted payload increases). If anyone has better language for this that captures the nuance of "random fine but not necessary if you're careful not to reuse a key with the same counter value" I'll change it.

[dstufft]

I don't know that you can rely on random with CTR mode. It's maybe OK for AES since it has a large enough block size, but CTR can be used for smaller block ciphers as well where that isn't the case.

Perhaps something like:

MUST be a unique value, any reuse of the nonce with the same key compromises the security of every message encrypted with that key. Must be the same number of bytes as the block_size of the cipher with a given key. The nonce does not need to be kept secret and may be included alongside the ciphertext.

[reaperhulk]

How about:

Must be unique bytes (may be randomly generated). Must be the same number of bytes as the block_size of the cipher. It is critical to never reuse a nonce with a given key. Unlike CBC reusing a nonce compromises the security of all data encrypted under the key.

That still doesn't quite encompass the idea that using nonce+1 with the same key is just as bad as nonce though.

[dstufft]

I can't parse your last sentence.

[dstufft]

Overall I think your suggestion is better, I just shy away from us implying that random is good enough when that really depends on block size.

[dstufft]

block size, and how long the keys are good for.

[reaperhulk]

So reusing the nonce with the same key compromises the entire stream, but if you were to encrypt plaintext1 with a given nonce, then encrypt plaintext2 with the same nonce but increment the last bit by 1, then you've essentially reused the nonce. Only the very first block would be different.

I will remove references to random as you make a good point re: block size dependency.

[reaperhulk]

Proposed:

Must be a unique value. It is critical to never reuse a nonce (or its subsequent incremented counter values) with a given key. Any reuse of the nonce with the same key compromises the security of every message encrypted with that key. Must be the same number of bytes as the block_size of the cipher with a given key. The nonce does not need to be kept secret and may be included alongside the ciphertext.

[dstufft]

+1

[coveralls]

Coverage remained the same when pulling 0ba2f94 on reaperhulk:ctr-support into 169dee8 on pyca:master.

[coveralls]

Coverage remained the same when pulling 4506428 on reaperhulk:ctr-support into 169dee8 on pyca:master.

[alex]

random bytes

[coveralls]

Coverage remained the same when pulling 89b3dd3 on reaperhulk:ctr-support into 169dee8 on pyca:master.