CTR mode broken in libgcrypt 1.2.1
Simon Josefsson
jas at extundo.com
Fri Jun 17 21:39:40 CEST 2005
Adam Langley <alangley at gmail.com> writes:
> I should point out that since submitting the patch it has been noted
> that the NIST is contradictory on the subject of counter mode. There
> are documents which suggest that the current libgcrypt implementation
> is correct and some that favour my patch.
The current libgcrypt implementation was done (by me) according to
<http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf>.
There are even self tests against the test vectors in tests/simple.c.
I'm not aware of any contradictory Counter mode description published
by NIST. Can you give some more information?
> [1] http://csrc.nist.gov/CryptoToolkit/modes/workshop1/papers/lipmaa-ctr.pdf
That is one input paper, hardly authoritative. However, if your patch
implement their idea of Counter mode, it may certainly be that it is
useful too. Maybe you can ask them if they have come up with another
name of their mode, given the conflict.
> My recommendation would be to either
> 1) drop the patch and make a big note in the documentation that the
> implemented cipher mode is not suitable for use as a stream cipher.
> 2) implement stream counter mode (e.g. my patch) as a separate mode.
Both approaches sound better than changing the current implementation.
Cheers,
Simon
More information about the Gcrypt-devel
mailing list