[OTR-dev] Issues with libgcrypt 1.5

Ian Goldberg ian at cypherpunks.ca
Mon Apr 11 13:48:36 CEST 2011

On Mon, Apr 11, 2011 at 10:37:46AM +0200, Werner Koch wrote:
> On Sun, 10 Apr 2011 16:58, ian at cypherpunks.ca said:
> > Werner, would it be possible to revert libgcrypt's behaviour to
> > internally handle a truncated final block for AES-CTR mode?
> Can you pelase specifiy the behaviour you want?  It is still time to
> loose this check.

In 1.4, if the plaintext was not a multiple of the block size, the last
encrypted counter block was simply truncated to the appropriate length,
which seems like the correct behaviour to me.  (And indeed, is what the
libotr library expects.)

Ideally, CTR mode would operate like a stream cipher whose keystream was
E(c) || E(c+1) || E(c+2) || ... .  That would mean stashing away the
"truncated" part above for use at the start of the next encryption.
I don't know whether 1.4 did that or not; I didn't try encrypting twice
between resetting the key/counter.

So it would seem to be fairly easy to just revert the 1.4 behaviour for
now, and if that's not the "stream cipher" behaviour, maybe see if that
can get into 1.5 as well?


   - Ian

More information about the Gcrypt-devel mailing list