Abstract

Counter-mode encryption (“CTR mode”) was introduced by Diffie and Hellman already in 1979 [5] and is already standardized by, for example, [1, Section 6.4]. It is indeed one of the best known modes that are not standardized in [10]. We suggest that NIST, in standardizing AES modes of operation, should include CTR-mode encryption as one possibility for the next reasons. First, CTR mode has significant efficiency advantages over the standard encryption modes without weakening the security. In particular its tight security has been proven. Second, most of the perceived disadvantages of CTR mode are not valid criticisms, but rather caused by the lack of knowledge. 1 Review of Counter-Mode Encryption Notation. Let EK X) denote the encipherment of an n-bit block X using key K and a block cipher E. For concreteness we assume that = E AES, so = n 128. If X is a nonempty string and i is a nonnegative integer, then + X i denotes g the g X-bit string that one gets by regarding X as a nonnegative number (written in binary, most significant bit first), adding i to this number, taking the result modulo 2 X 1, and converting this number back into an g X g-bit string. This is