0

I am implementing a stream cipher in a microcontroller that only has an AES128 encryption block. According to this page, a block cipher based on an encryption only module can be converted into a stream cipher using CFB, OFB and CTR modes. Assuming I have a unique IV, which is the most robust method to use?

mr_js
  • 133
  • 6

1 Answers1

2

You should use CTR mode. You will not need to have random IV every time, rather you will use incremental counter and set it to zero once you change the KEY. You should not encrypt more than ${2^{n/2}}$ blocks.

CTR mode allows both parallel encryption and decryption without padding. You can even precompute the CTR encryptions in Idle time and just Xor it with input stream to generate ciphertext once required.

OFB mode have cyclic issue and if cycle is small, the generated key stream will start repeating itself.

In fact you should use GCM to get authenticated encryption. see Disadvantages of various Authenticated modes of Operation or how to choose between CCM and GCM

Here is a List of Advantages and Disadvantages of Modes of Operation

For good comparison of mode of operations, please see Evaluation of Some Blockcipher Modes of Operation

crypt
  • 2,417
  • 17
  • 32
  • 2
    When only AES is accelerated on a not-so-fast microcontroller I would consider AES in CCM or EAX mode before GCM mode. – Maarten Bodewes Sep 21 '17 at 19:22
  • I think he has only block encryption available. so cant use CBC or CC mode of operation. moreover CCM wil use two 2xblock encryptions for each block – crypt Sep 21 '17 at 19:31
  • With block encryption you can implement any mode. The GMAC component of GCM requires a 128 bit multiplication per block so if you've got a constrained CPU it may still be relatively slow and possibly slower than the double AES if that has been accelerated. Testing is the only real way to be sure. – Maarten Bodewes Sep 21 '17 at 21:57
  • can we implement CBC mode decryption once AES decryption block is not available? or does the AES encryption block availability means it can perform both Encryption and Decryption? – crypt Sep 22 '17 at 05:20
  • The AES block can only perform encryption, not decryption. – mr_js Sep 22 '17 at 05:32
  • @mr_js so there is no possibility of using CBC mode. – crypt Sep 22 '17 at 05:36
  • It would seem not, since this relies on the AES decryption block. – mr_js Sep 22 '17 at 05:36
  • 1
    This is a morning comment, so I had it wrong first; AES-CBC is not an option then and you should rely on CTR. As CBC-MAC and therefore CMAC, CCM and EAX only use AES in one direction it seems they are still available. – Maarten Bodewes Sep 22 '17 at 07:45