0

In AES-CTR, a key, a nonce and a counter are all encrypted to produce a value that is then XORed with a plaintext to produce the ciphertext.

Let's say we were to make a hash out of the key, the nonce and the counter instead of using the AES algorithm, and then XOR our plaintext with the hash to make a ciphertext.

Would something like this have security (or other kind of) flaws? What are those?

BillTheKid
  • 101
  • @kelalaka Yes, I think it does! TLDR: AES is faster than Hashing; it is widely tested for collision resistance, but still, it doesn't have to be AES. Hashing could work but is not recomended. – BillTheKid Dec 17 '23 at 12:43
  • 1
    And, note that ChaCha is a PRF and AES is a PRP (block ciphers are synonyms for PRP) and CTR mode needs just PRF that has more range of functions than PRPs. You may also see these Disadvantages of AES-CTR? and Is there a difference between PRF and a hash function?. – kelalaka Dec 17 '23 at 13:15
  • 1
    On a more pholosophical note, the answer also depends on what exactly you mean by hash. Usually, collision and pre-image resistance are the basic expected properties. These do not imply any random output behavior which is a must for CTR. Obviously, the discussion is different if you use the random oracle model. – Marc Ilunga Dec 17 '23 at 15:05
  • 1
    I'd say that if the hash displays the avelanche effect (which is more or less implied by the collision and pre-image resistance) and a uniform output (over an x-number of bits) then it would be suitable. SHA-2 hashes have both desired properties. – Maarten Bodewes Dec 17 '23 at 19:02

0 Answers0