The Counter (CTR) Mode

Counter (CTR) mode takes a different approach to most other modes of operation. It does not even use the block cipher's encryption function $Enc_{k}$ on the message itself!

The encryption process begins by dividing the message into blocks $μ_{1}, μ_{2}, ..., μ_{q}$ with length $l_{b}$ . Then, an initialisation vector (IV) of length $\frac{3}{4} l_{b}$ is randomly generated. However, instead of passing the $i$ -th block to $Enc_{k}$ , CTR mode takes the IV and appends to it a counter $i$ encoded as a binary string of length $\frac{1}{4} l_{b}$ and inputs this into $Enc_{k}$ . The $i$ -th message block is then XOR-ed with the output to produce the $i$ -th ciphertext block:

$σ_{i} = μ_{i} \oplus Enc_{k} (I V ∣∣ i)$

The final ciphertext is obtained by concatenating all ciphertext blocks and prepending them with the initialisation vector, which is necessary for decryption just as with CBC mode.

This process essentially turns a block cipher into a stream cipher where the IV and the counter are used to generate a keystream which is then XOR-ed with the message.

The decryption procedure is almost equivalent - the IV is extracted from the ciphertext $c$ and the rest of it is divided into ciphertext blocks $σ_{1}, σ_{2}, ..., σ_{q}$ . The $i$ -th ciphertext block is XOR-ed with the output of, notice, $Enc_{k}$ after passing it the concatenation of the IV and $i$ encoded as a binary string of length $\frac{1}{4} l_{b}$ .

$μ_{i} = σ_{i} \oplus Enc_{k} (I V ∣∣ i)$

That's right - the decryption function $Dec_{k}$ of the block cipher is not even used! This means that the encryption function $Enc_{k}$ does not need to even be invertible, i.e. it does not need to be a pseudorandom permutation (PRP), but can simply be a pseudorandom function (PRF). This is only one major advantage of CTR mode. Another one is the fact that both encryption and decryption are parallelisable, which makes them excellent candidates for optimisation. These two factors, combined with the security provided by this mode, are the reason for CTR's extensive use.

Security of CTR Mode

So long as the initialisation vector is chosen uniformly at random and the block cipher used is secure, i.e. it uses a pseudorandom function (or permutation) for its $Enc_{k}$ function, CTR mode will be CPA-secure.

Proof: CPA-Security of CTR Mode

First suppose, towards contradiction, that there is an efficient adversary Eve that after querying $Enc_{k}$ with $q$ messages $m_{1}, m_{2}, ..., m_{q}$ and obtaining their ciphertexts $c_{1}, c_{2}, ..., c_{q}$ , can distinguish with probability $\frac{1}{2} + nonnegl (n)$ if a ciphertext $c$ is the encryption of $m_{a}$ or $m_{b}$ , for some messages $m_{a}$ and $m_{b}$ , which are also allowed to be one of the previously queried messages.

Consider the case where the messages $m_{a}$ and $m_{b}$ are only a single block long. If instead of the PRF $Enc_{k}$ , the CTR encryption used a truly random function $R$ , then Eve would lack any information and so she would only be able guess at best with probability $\frac{1}{2}$ whether a ciphertext $c$ belongs to $m_{a}$ or $m_{b}$ . This, however, is a contradiction because she would be able to distinguish with non-negligible probability the output of a PRF from the output of a truly random function. Therefore, no such adversary can exist.

This reasoning assumes that the IV is never reused, but since the IV is supposed to be chosen uniformly at random, this can happen. So we need to show that this happens with only negligible probability.

Indeed, the adversary Eve makes $q$ queries which means $q$ messages with $q$ IV's. Each IV is chosen uniformly from ${0, 1}^{\frac{3}{4} l_{b}}$ , so the probability that an IV is repeated is $\frac{q ^{2}}{2 ^{\frac{3}{4} l_{b} + 1}}$ which is negligible, since Eve must be efficient and therefore $q$ needs to be polynomial.

IV Reuse Attack

If you have two ciphertexts $c$ and $c^{'}$ that are the CTR-mode encryptions of two messages $m$ and $m^{'}$ which where encrypted with the same initialisation vector $I V$ and the same secret key $k$ and you know one of the messages - for example $m$ - then you can easily decrypt the other message $m^{'}$ .

The first step is to XOR the two ciphertexts $c$ and $c^{'}$ to obtain the XOR of the two messages $m$ and $m^{'}$ , since the XOR of something with itself is 0 and XOR-ing with 0 has no effect.

${c = m \oplus (Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots) c^{'} = m^{'} \oplus (Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots) ⟹$

$c \oplus c^{'} = = (m \oplus (Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots)) \oplus (m^{'} \oplus (Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots)) = (m \oplus m^{'}) \oplus ((Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots) \oplus (Enc_{k} (I V ∣∣1) ∣∣ Enc_{k} (I V ∣∣2) \dots)) = m \oplus m^{'}$

The second and final step is to XOR this result with the known message $m$ to recover the unknown message $m^{'}$ :

$(m \oplus m^{'}) \oplus m = (m \oplus m) \oplus m^{'} = m^{'}$

This attack clearly illustrates that initialisation vectors should never be repeated.

Note

Even if the IV is chosen uniformly at random, there is still a chance that it is repeated and security is broken. Nevertheless, the number of possible IVs is usually so large that the probability of this actually happening is negligible.

The Cyberclopaedia

The Counter (CTR) Mode

Security of CTR Mode

IV Reuse Attack