CTR mode broken in libgcrypt 1.2.1

Simon Josefsson jas at extundo.com
Fri Jun 17 21:39:40 CEST 2005

Adam Langley <alangley at gmail.com> writes:

> I should point out that since submitting the patch it has been noted
> that the NIST is contradictory on the subject of counter mode. There
> are documents which suggest that the current libgcrypt implementation
> is correct and some that favour my patch.

The current libgcrypt implementation was done (by me) according to
There are even self tests against the test vectors in tests/simple.c.

I'm not aware of any contradictory Counter mode description published
by NIST.  Can you give some more information?

> [1] http://csrc.nist.gov/CryptoToolkit/modes/workshop1/papers/lipmaa-ctr.pdf

That is one input paper, hardly authoritative.  However, if your patch
implement their idea of Counter mode, it may certainly be that it is
useful too.  Maybe you can ask them if they have come up with another
name of their mode, given the conflict.

> My recommendation would be to either
>   1) drop the patch and make a big note in the documentation that the
> implemented cipher mode is not suitable for use as a stream cipher.
>   2) implement stream counter mode (e.g. my patch) as a separate mode.

Both approaches sound better than changing the current implementation.


More information about the Gcrypt-devel mailing list