Support for CTR-128 mode

[shijimasoft]

Hello again! I wanted to ask you if support for CTR-128 mode has been planned, was curious if you were already working on it or it is not planned anytime soon. Please let me know, thank you!

[keepsimple1]

There is no plan for CTR-128 yet. If it's useful for you and you could contribute on it, that would be great!

[shijimasoft]

I would have gladly contributed, but I don't even know the basic math for encryption algorithms :_)

[keepsimple1]

That's okay. Do you have a time line when you need this feature?

[shijimasoft]

At this time I am rewriting an old project using AES (CBC and CTR), I do not have an exact timeline, in the next few weeks I will be optimizing and re-implementing new portions of code, but it would certainly be great to have it soon. If you are interested give ctrdecrypt a quick check :)

[keepsimple1]

Got it. I will take a closer look hopefully this weekend.

[shijimasoft]

Thank you so much :>

[keepsimple1]

As CTR mode encryption could be parallelized and essentially works in a stream mode, what kind of API are you looking for? Any good examples from other languages / tools for CTR mode you wanted to follow?

[shijimasoft]

I searched the official PyCrypto documentation and found this: CounTeR (CTR). This mode is very similar to ECB, in that encryption of one block is done independently of all other blocks. Unlike ECB, the block position contributes to the encryption and no information leaks about symbol frequency.

Each message block is associated to a counter which must be unique across all messages that get encrypted with the same key (not just within the same message). The counter is as big as the block size (for 128-bit key it is 16 bytes).

Counters can be generated in several ways. The most straightword one is to choose an initial counter block (which can be made public, similarly to the IV for the other modes) and increment its lowest m bits by one (modulo 2^m) for each block. In most cases, m is chosen to be half the block size.

See NIST SP800-38A, Section 6.5 (for the mode) and Appendix B (for how to manage the initial counter block).

Practical example:

# Example from PyCrypto
from Crypto.Cipher import AES
from Crypto.Util import Counter

key = "c3b55cd549b6e47e91f6a212641e1cb3".decode('hex')
icounter = 20780279403903244019572234206052352
data = "9fdc5cc09bcbea918b62b915c9a4f9f8".decode('hex')

cipher = AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=icounter))

# fe359918ef8fc93d8a19841fe8fb20e4
decdata = cipher.decrypt(data)

The AES function accepts an initial counter (which in Rust would be a u128 or an array of [u8; 16])

[keepsimple1]

Thanks for the info. Adding a link: https://pycryptodome.readthedocs.io/en/latest/src/cipher/classic.html#ctr-mode and the counter module: https://pycryptodome.readthedocs.io/en/latest/src/util/util.html#crypto-util-counter-module

[shijimasoft]

Thank you too!

[keepsimple1]

A reference implementation in C in OpenSSL: https://github.com/openssl/openssl/blob/master/crypto/modes/ctr128.c

[shijimasoft]

Hello! I took a look at the code, but it doesn't include the decrypt method, right?

[shijimasoft]

Sorry, never mind. I forgot that the CTR AES mode has identical encrypt and decrypt functions