What happens if you increment MAX counter in AES-CTR?What is a safe maximum message size limit when encrypting files to disk with AES-GCM before the need to re-generate the key or NONCEMaking counter (CTR) mode robust against application state lossHow does the IV or initial counter increase internally for each block in AES CTR mode?Value of “counter” when decrypting AES in CTR mode?Message lengths with AES CTR mode?Can AES in CCM or GCM counter mode interoperate with AES in “plain” counter mode (CTR)?How to increment the counter value for CTR mode?Seekable cipher, is AES CTR a good solution?the counter mode of encryption CTR - AESAES-CTR-MAC alternative
Symbol for "not absolutely continuous" in Latex
Why are many Chinese characters almost symmetrical but not exactly symmetrical?
Should I report a leak of confidential HR information?
Getting geometries of hurricane's 'cone of uncertainty' using shapely?
In native German words, is Q always followed by U, as in English?
Is it bad to describe a character long after their introduction?
Why are 120V general receptacle circuits limited to 20A?
Who is Johanna in this Joan Baez song - The Winds of the Old Days
Prevent cacls asking for confirmation?
Spicket or spigot?
How do I delete a Bitcoin full node from my hard drive?
Did Wakanda officially get the stuff out of Bucky's head?
Does “comme on était à New York” mean “since” or “as though”?
Do sudoku answers always have a single minimal clue set?
Can another character physically take something that Mage Hand is carrying/holding?
What are good ways to spray paint a QR code on a footpath?
Was touching your nose a greeting in second millenium Mesopotamia?
What is the line crossing the Pacific Ocean that is shown on maps?
Golf the smallest circle!
What is the difference between x RadToDeg cos x div and COSC?
How hard is it to sell a home which is currently mortgaged?
Why does this function call behave sensibly after calling it through a typecasted function pointer?
What is a macro? Difference between macro and function?
Should I hide continue button until tasks are completed?
What happens if you increment MAX counter in AES-CTR?
What is a safe maximum message size limit when encrypting files to disk with AES-GCM before the need to re-generate the key or NONCEMaking counter (CTR) mode robust against application state lossHow does the IV or initial counter increase internally for each block in AES CTR mode?Value of “counter” when decrypting AES in CTR mode?Message lengths with AES CTR mode?Can AES in CCM or GCM counter mode interoperate with AES in “plain” counter mode (CTR)?How to increment the counter value for CTR mode?Seekable cipher, is AES CTR a good solution?the counter mode of encryption CTR - AESAES-CTR-MAC alternative
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
Suppose you use a IV/counter = ffffffffffffffffffffffffffffffffin AES-CTR. What will happen if you encrypt the next block, and thereby increment the counter by one? Will it result in an overflow error of sorts?
aes block-cipher initialization-vector
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
$endgroup$
add a comment |
$begingroup$
Suppose you use a IV/counter = ffffffffffffffffffffffffffffffffin AES-CTR. What will happen if you encrypt the next block, and thereby increment the counter by one? Will it result in an overflow error of sorts?
aes block-cipher initialization-vector
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
$endgroup$
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39
add a comment |
$begingroup$
Suppose you use a IV/counter = ffffffffffffffffffffffffffffffffin AES-CTR. What will happen if you encrypt the next block, and thereby increment the counter by one? Will it result in an overflow error of sorts?
aes block-cipher initialization-vector
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
$endgroup$
Suppose you use a IV/counter = ffffffffffffffffffffffffffffffffin AES-CTR. What will happen if you encrypt the next block, and thereby increment the counter by one? Will it result in an overflow error of sorts?
aes block-cipher initialization-vector
aes block-cipher initialization-vector
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
asked Jun 10 at 2:48
KyomaKyoma
62 bronze badges
62 bronze badges
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39
add a comment |
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
In AES-CTR, the ‘IV’ and ‘counter’ are different concepts. To encrypt a message, you specify a nonce, like a message sequence number—sometimes called an ‘IV’. The nonce is usually 64 or 96 bits, but it could be anywhere from 0 to 128 bits long. For security, you must never reuse a nonce with a key. The length of the nonce for the particular AES-CTR system you're using determines the maximum message length: inside AES-CTR, the remainder of a 128-bit string after filling part of it with a nonce is used to count blocks within a message.
So, for example, if you send the message $m_1 mathbin| m_2 mathbin| m_3$, and then the message $m'_1 mathbin| m'_2$, you might in your protocol choose the nonce 42 for the first message, and the nonce 69 for the second, and the ciphertexts will be internally computed as:
beginalign
c &= bigl(m_1 oplus operatornameAES_k(42 mathbin| 0)) mathbin| (m_2 oplus operatornameAES_k(42 mathbin| 1) mathbin| (m_3 oplus operatornameAES_k(42 mathbin| 2)bigr), \
c' &= bigl(m'_1 oplus operatornameAES_k(69 mathbin| 0)) mathbin| (m'_2 oplus operatornameAES_k(69 mathbin| 1)bigr).
endalign
(Here the $m_i$ and $m'_i$ are exactly 128 bits long apiece; it is inside AES-CTR that the block counter 0, 1, 2, …, is maintained.)
For (say) AES-CTR with a 96-bit nonce, the maximum message length is $2^32$ 128-bit blocks, or $2^36$ bytes. What happens if you try to encrypt a $(2^36 + 1)$-byte message? It's simply not defined in that case—like dividing by zero. You should avoid designing a protocol in which this question might even arise; what an implementation might do may vary: it could silently wrap around, effectively encrypting messages with a two-time pad; it could fail noisily and abort the computation; it could make demons fly out of your nose.
What if you use a 0-bit nonce, so that the maximum message length is $2^128$ 128-bit blocks, or $2^132$ bytes? You don't have that many bytes and you don't have enough time to wait for all the computers in the world to encrypt that many bytes.
What if—internal block counter aside—you use a 64-bit message sequence number as a nonce? Will you have to worry about wrapping around? Hint: You are doing this in sequence. Let's say it takes you a nanosecond to encrypt each message. How many centuries do you have to wait for a 64-bit message counter to overflow?
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
$endgroup$
add a comment |
$begingroup$
What do you expect to generate the overflow error? The AES function certainly doesn't know about the way you construct the 16 byte cleartext block.
AES-CTR is usually done with 64 bits of nonce and 64 bits of counter, so it will overflow much sooner, after $ 2^64 - 1 $. The counter value will either wrap around, or raise an error / throw an exception, or will just become $ 2^64 $ and then $ 2^64 + 1 $, depending on the programming language you use (sometimes, depending on whether you're compiling in debug or release mode!).
For C unsigned integer type like uint64_t, it will wrap around to 0. For a hypothetical signed C type that is big enough to fit that value, because signed overflow is undefined, the compiler is allowed to generate whatever code it wants (this would be very bad).
Java plain doesn't have unsigned 64 bit ints, only signed ones, but the language spec says what happens to them at overflow.
Python has only bigints (no fixed sized ints except as part of typed arrays), so it will happily be a 65 bit value (or a 6,500 bit value).
Consult your programming language reference manual (or CPU ISA manual if programming in assembly).
Depending on your authentication scheme or AEAD, you don't want to wait for that counter to wrap around, because you are supposed to re-key earlier. For example AES-GCM should use 96 bits nonce and 32 bits counter, for reasons.
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
$endgroup$
add a comment |
$begingroup$
To ignore the (important) security issues and to just answer the question:
It depends. The 128-bit block can be separated into a "nonce" and a "counter", and then you would wrap around only on the counter. For example, if the counter is 32 bits, then you would go back to ffffffffffffffffffffffff00000000.
However, the vast majority of implementations see the entire block as a counter, therefore you would go back to 00000000000000000000000000000000.
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71195%2fwhat-happens-if-you-increment-max-counter-in-aes-ctr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
In AES-CTR, the ‘IV’ and ‘counter’ are different concepts. To encrypt a message, you specify a nonce, like a message sequence number—sometimes called an ‘IV’. The nonce is usually 64 or 96 bits, but it could be anywhere from 0 to 128 bits long. For security, you must never reuse a nonce with a key. The length of the nonce for the particular AES-CTR system you're using determines the maximum message length: inside AES-CTR, the remainder of a 128-bit string after filling part of it with a nonce is used to count blocks within a message.
So, for example, if you send the message $m_1 mathbin| m_2 mathbin| m_3$, and then the message $m'_1 mathbin| m'_2$, you might in your protocol choose the nonce 42 for the first message, and the nonce 69 for the second, and the ciphertexts will be internally computed as:
beginalign
c &= bigl(m_1 oplus operatornameAES_k(42 mathbin| 0)) mathbin| (m_2 oplus operatornameAES_k(42 mathbin| 1) mathbin| (m_3 oplus operatornameAES_k(42 mathbin| 2)bigr), \
c' &= bigl(m'_1 oplus operatornameAES_k(69 mathbin| 0)) mathbin| (m'_2 oplus operatornameAES_k(69 mathbin| 1)bigr).
endalign
(Here the $m_i$ and $m'_i$ are exactly 128 bits long apiece; it is inside AES-CTR that the block counter 0, 1, 2, …, is maintained.)
For (say) AES-CTR with a 96-bit nonce, the maximum message length is $2^32$ 128-bit blocks, or $2^36$ bytes. What happens if you try to encrypt a $(2^36 + 1)$-byte message? It's simply not defined in that case—like dividing by zero. You should avoid designing a protocol in which this question might even arise; what an implementation might do may vary: it could silently wrap around, effectively encrypting messages with a two-time pad; it could fail noisily and abort the computation; it could make demons fly out of your nose.
What if you use a 0-bit nonce, so that the maximum message length is $2^128$ 128-bit blocks, or $2^132$ bytes? You don't have that many bytes and you don't have enough time to wait for all the computers in the world to encrypt that many bytes.
What if—internal block counter aside—you use a 64-bit message sequence number as a nonce? Will you have to worry about wrapping around? Hint: You are doing this in sequence. Let's say it takes you a nanosecond to encrypt each message. How many centuries do you have to wait for a 64-bit message counter to overflow?
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
$endgroup$
add a comment |
$begingroup$
In AES-CTR, the ‘IV’ and ‘counter’ are different concepts. To encrypt a message, you specify a nonce, like a message sequence number—sometimes called an ‘IV’. The nonce is usually 64 or 96 bits, but it could be anywhere from 0 to 128 bits long. For security, you must never reuse a nonce with a key. The length of the nonce for the particular AES-CTR system you're using determines the maximum message length: inside AES-CTR, the remainder of a 128-bit string after filling part of it with a nonce is used to count blocks within a message.
So, for example, if you send the message $m_1 mathbin| m_2 mathbin| m_3$, and then the message $m'_1 mathbin| m'_2$, you might in your protocol choose the nonce 42 for the first message, and the nonce 69 for the second, and the ciphertexts will be internally computed as:
beginalign
c &= bigl(m_1 oplus operatornameAES_k(42 mathbin| 0)) mathbin| (m_2 oplus operatornameAES_k(42 mathbin| 1) mathbin| (m_3 oplus operatornameAES_k(42 mathbin| 2)bigr), \
c' &= bigl(m'_1 oplus operatornameAES_k(69 mathbin| 0)) mathbin| (m'_2 oplus operatornameAES_k(69 mathbin| 1)bigr).
endalign
(Here the $m_i$ and $m'_i$ are exactly 128 bits long apiece; it is inside AES-CTR that the block counter 0, 1, 2, …, is maintained.)
For (say) AES-CTR with a 96-bit nonce, the maximum message length is $2^32$ 128-bit blocks, or $2^36$ bytes. What happens if you try to encrypt a $(2^36 + 1)$-byte message? It's simply not defined in that case—like dividing by zero. You should avoid designing a protocol in which this question might even arise; what an implementation might do may vary: it could silently wrap around, effectively encrypting messages with a two-time pad; it could fail noisily and abort the computation; it could make demons fly out of your nose.
What if you use a 0-bit nonce, so that the maximum message length is $2^128$ 128-bit blocks, or $2^132$ bytes? You don't have that many bytes and you don't have enough time to wait for all the computers in the world to encrypt that many bytes.
What if—internal block counter aside—you use a 64-bit message sequence number as a nonce? Will you have to worry about wrapping around? Hint: You are doing this in sequence. Let's say it takes you a nanosecond to encrypt each message. How many centuries do you have to wait for a 64-bit message counter to overflow?
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
$endgroup$
add a comment |
$begingroup$
In AES-CTR, the ‘IV’ and ‘counter’ are different concepts. To encrypt a message, you specify a nonce, like a message sequence number—sometimes called an ‘IV’. The nonce is usually 64 or 96 bits, but it could be anywhere from 0 to 128 bits long. For security, you must never reuse a nonce with a key. The length of the nonce for the particular AES-CTR system you're using determines the maximum message length: inside AES-CTR, the remainder of a 128-bit string after filling part of it with a nonce is used to count blocks within a message.
So, for example, if you send the message $m_1 mathbin| m_2 mathbin| m_3$, and then the message $m'_1 mathbin| m'_2$, you might in your protocol choose the nonce 42 for the first message, and the nonce 69 for the second, and the ciphertexts will be internally computed as:
beginalign
c &= bigl(m_1 oplus operatornameAES_k(42 mathbin| 0)) mathbin| (m_2 oplus operatornameAES_k(42 mathbin| 1) mathbin| (m_3 oplus operatornameAES_k(42 mathbin| 2)bigr), \
c' &= bigl(m'_1 oplus operatornameAES_k(69 mathbin| 0)) mathbin| (m'_2 oplus operatornameAES_k(69 mathbin| 1)bigr).
endalign
(Here the $m_i$ and $m'_i$ are exactly 128 bits long apiece; it is inside AES-CTR that the block counter 0, 1, 2, …, is maintained.)
For (say) AES-CTR with a 96-bit nonce, the maximum message length is $2^32$ 128-bit blocks, or $2^36$ bytes. What happens if you try to encrypt a $(2^36 + 1)$-byte message? It's simply not defined in that case—like dividing by zero. You should avoid designing a protocol in which this question might even arise; what an implementation might do may vary: it could silently wrap around, effectively encrypting messages with a two-time pad; it could fail noisily and abort the computation; it could make demons fly out of your nose.
What if you use a 0-bit nonce, so that the maximum message length is $2^128$ 128-bit blocks, or $2^132$ bytes? You don't have that many bytes and you don't have enough time to wait for all the computers in the world to encrypt that many bytes.
What if—internal block counter aside—you use a 64-bit message sequence number as a nonce? Will you have to worry about wrapping around? Hint: You are doing this in sequence. Let's say it takes you a nanosecond to encrypt each message. How many centuries do you have to wait for a 64-bit message counter to overflow?
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
$endgroup$
In AES-CTR, the ‘IV’ and ‘counter’ are different concepts. To encrypt a message, you specify a nonce, like a message sequence number—sometimes called an ‘IV’. The nonce is usually 64 or 96 bits, but it could be anywhere from 0 to 128 bits long. For security, you must never reuse a nonce with a key. The length of the nonce for the particular AES-CTR system you're using determines the maximum message length: inside AES-CTR, the remainder of a 128-bit string after filling part of it with a nonce is used to count blocks within a message.
So, for example, if you send the message $m_1 mathbin| m_2 mathbin| m_3$, and then the message $m'_1 mathbin| m'_2$, you might in your protocol choose the nonce 42 for the first message, and the nonce 69 for the second, and the ciphertexts will be internally computed as:
beginalign
c &= bigl(m_1 oplus operatornameAES_k(42 mathbin| 0)) mathbin| (m_2 oplus operatornameAES_k(42 mathbin| 1) mathbin| (m_3 oplus operatornameAES_k(42 mathbin| 2)bigr), \
c' &= bigl(m'_1 oplus operatornameAES_k(69 mathbin| 0)) mathbin| (m'_2 oplus operatornameAES_k(69 mathbin| 1)bigr).
endalign
(Here the $m_i$ and $m'_i$ are exactly 128 bits long apiece; it is inside AES-CTR that the block counter 0, 1, 2, …, is maintained.)
For (say) AES-CTR with a 96-bit nonce, the maximum message length is $2^32$ 128-bit blocks, or $2^36$ bytes. What happens if you try to encrypt a $(2^36 + 1)$-byte message? It's simply not defined in that case—like dividing by zero. You should avoid designing a protocol in which this question might even arise; what an implementation might do may vary: it could silently wrap around, effectively encrypting messages with a two-time pad; it could fail noisily and abort the computation; it could make demons fly out of your nose.
What if you use a 0-bit nonce, so that the maximum message length is $2^128$ 128-bit blocks, or $2^132$ bytes? You don't have that many bytes and you don't have enough time to wait for all the computers in the world to encrypt that many bytes.
What if—internal block counter aside—you use a 64-bit message sequence number as a nonce? Will you have to worry about wrapping around? Hint: You are doing this in sequence. Let's say it takes you a nanosecond to encrypt each message. How many centuries do you have to wait for a 64-bit message counter to overflow?
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
answered Jun 10 at 3:44
Squeamish OssifrageSqueamish Ossifrage
29.1k1 gold badge44 silver badges123 bronze badges
29.1k1 gold badge44 silver badges123 bronze badges
add a comment |
add a comment |
$begingroup$
What do you expect to generate the overflow error? The AES function certainly doesn't know about the way you construct the 16 byte cleartext block.
AES-CTR is usually done with 64 bits of nonce and 64 bits of counter, so it will overflow much sooner, after $ 2^64 - 1 $. The counter value will either wrap around, or raise an error / throw an exception, or will just become $ 2^64 $ and then $ 2^64 + 1 $, depending on the programming language you use (sometimes, depending on whether you're compiling in debug or release mode!).
For C unsigned integer type like uint64_t, it will wrap around to 0. For a hypothetical signed C type that is big enough to fit that value, because signed overflow is undefined, the compiler is allowed to generate whatever code it wants (this would be very bad).
Java plain doesn't have unsigned 64 bit ints, only signed ones, but the language spec says what happens to them at overflow.
Python has only bigints (no fixed sized ints except as part of typed arrays), so it will happily be a 65 bit value (or a 6,500 bit value).
Consult your programming language reference manual (or CPU ISA manual if programming in assembly).
Depending on your authentication scheme or AEAD, you don't want to wait for that counter to wrap around, because you are supposed to re-key earlier. For example AES-GCM should use 96 bits nonce and 32 bits counter, for reasons.
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
$endgroup$
add a comment |
$begingroup$
What do you expect to generate the overflow error? The AES function certainly doesn't know about the way you construct the 16 byte cleartext block.
AES-CTR is usually done with 64 bits of nonce and 64 bits of counter, so it will overflow much sooner, after $ 2^64 - 1 $. The counter value will either wrap around, or raise an error / throw an exception, or will just become $ 2^64 $ and then $ 2^64 + 1 $, depending on the programming language you use (sometimes, depending on whether you're compiling in debug or release mode!).
For C unsigned integer type like uint64_t, it will wrap around to 0. For a hypothetical signed C type that is big enough to fit that value, because signed overflow is undefined, the compiler is allowed to generate whatever code it wants (this would be very bad).
Java plain doesn't have unsigned 64 bit ints, only signed ones, but the language spec says what happens to them at overflow.
Python has only bigints (no fixed sized ints except as part of typed arrays), so it will happily be a 65 bit value (or a 6,500 bit value).
Consult your programming language reference manual (or CPU ISA manual if programming in assembly).
Depending on your authentication scheme or AEAD, you don't want to wait for that counter to wrap around, because you are supposed to re-key earlier. For example AES-GCM should use 96 bits nonce and 32 bits counter, for reasons.
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
$endgroup$
add a comment |
$begingroup$
What do you expect to generate the overflow error? The AES function certainly doesn't know about the way you construct the 16 byte cleartext block.
AES-CTR is usually done with 64 bits of nonce and 64 bits of counter, so it will overflow much sooner, after $ 2^64 - 1 $. The counter value will either wrap around, or raise an error / throw an exception, or will just become $ 2^64 $ and then $ 2^64 + 1 $, depending on the programming language you use (sometimes, depending on whether you're compiling in debug or release mode!).
For C unsigned integer type like uint64_t, it will wrap around to 0. For a hypothetical signed C type that is big enough to fit that value, because signed overflow is undefined, the compiler is allowed to generate whatever code it wants (this would be very bad).
Java plain doesn't have unsigned 64 bit ints, only signed ones, but the language spec says what happens to them at overflow.
Python has only bigints (no fixed sized ints except as part of typed arrays), so it will happily be a 65 bit value (or a 6,500 bit value).
Consult your programming language reference manual (or CPU ISA manual if programming in assembly).
Depending on your authentication scheme or AEAD, you don't want to wait for that counter to wrap around, because you are supposed to re-key earlier. For example AES-GCM should use 96 bits nonce and 32 bits counter, for reasons.
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
$endgroup$
What do you expect to generate the overflow error? The AES function certainly doesn't know about the way you construct the 16 byte cleartext block.
AES-CTR is usually done with 64 bits of nonce and 64 bits of counter, so it will overflow much sooner, after $ 2^64 - 1 $. The counter value will either wrap around, or raise an error / throw an exception, or will just become $ 2^64 $ and then $ 2^64 + 1 $, depending on the programming language you use (sometimes, depending on whether you're compiling in debug or release mode!).
For C unsigned integer type like uint64_t, it will wrap around to 0. For a hypothetical signed C type that is big enough to fit that value, because signed overflow is undefined, the compiler is allowed to generate whatever code it wants (this would be very bad).
Java plain doesn't have unsigned 64 bit ints, only signed ones, but the language spec says what happens to them at overflow.
Python has only bigints (no fixed sized ints except as part of typed arrays), so it will happily be a 65 bit value (or a 6,500 bit value).
Consult your programming language reference manual (or CPU ISA manual if programming in assembly).
Depending on your authentication scheme or AEAD, you don't want to wait for that counter to wrap around, because you are supposed to re-key earlier. For example AES-GCM should use 96 bits nonce and 32 bits counter, for reasons.
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
edited Jun 10 at 3:28
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
answered Jun 10 at 3:22
Z.T.Z.T.
5893 silver badges16 bronze badges
5893 silver badges16 bronze badges
add a comment |
add a comment |
$begingroup$
To ignore the (important) security issues and to just answer the question:
It depends. The 128-bit block can be separated into a "nonce" and a "counter", and then you would wrap around only on the counter. For example, if the counter is 32 bits, then you would go back to ffffffffffffffffffffffff00000000.
However, the vast majority of implementations see the entire block as a counter, therefore you would go back to 00000000000000000000000000000000.
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
$endgroup$
add a comment |
$begingroup$
To ignore the (important) security issues and to just answer the question:
It depends. The 128-bit block can be separated into a "nonce" and a "counter", and then you would wrap around only on the counter. For example, if the counter is 32 bits, then you would go back to ffffffffffffffffffffffff00000000.
However, the vast majority of implementations see the entire block as a counter, therefore you would go back to 00000000000000000000000000000000.
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
$endgroup$
add a comment |
$begingroup$
To ignore the (important) security issues and to just answer the question:
It depends. The 128-bit block can be separated into a "nonce" and a "counter", and then you would wrap around only on the counter. For example, if the counter is 32 bits, then you would go back to ffffffffffffffffffffffff00000000.
However, the vast majority of implementations see the entire block as a counter, therefore you would go back to 00000000000000000000000000000000.
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
$endgroup$
To ignore the (important) security issues and to just answer the question:
It depends. The 128-bit block can be separated into a "nonce" and a "counter", and then you would wrap around only on the counter. For example, if the counter is 32 bits, then you would go back to ffffffffffffffffffffffff00000000.
However, the vast majority of implementations see the entire block as a counter, therefore you would go back to 00000000000000000000000000000000.
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
answered Jun 10 at 13:58
ConradoConrado
2,67813 silver badges27 bronze badges
2,67813 silver badges27 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71195%2fwhat-happens-if-you-increment-max-counter-in-aes-ctr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
As far as I know behavior is specific to the implementation, it isn't standardized anywhere.
$endgroup$
– puzzlepalace
Jun 10 at 19:39