Cryptopals Guided Tour - 18 - Implement CTR, the stream cipher mode

00:00 - Intro 00:52 - Overview of CTR parameters 03:07 - Does CTR matter in good code? 04:04 - Does decryption matter in good cryptosystems? 05:04 - Introducing the NIST CTR specification (SP 800-38A) 06:25 - Admiring the illustration for CTR mode 06:53 - Discussing impossible differentials in CTR mode 07:57 - What if you reuse a nonce? 08:24 - Returning to SP 800-38A 10:00 - Discussing the sequential version of CTR mode 11:05 - Discussing the nonce-based version of CTR mode 12:40 - What does SP 800-38A say about nonce management? 13:47 - Typographic considerations 14:40 - GCM's probabilistic uniqueness requirement 15:41 - "nonce" vs "IV" 16:00 - GCM's RBG-based IVs 17:05 - The birthday problem 17:37 - Why is the "birthday paradox" true? 18:26 - Getting the probability of GCM nonce collision 19:40 - Using Decimals for added precision in Python 20:31 - Getting the probability of CTR nonce collision 22:00 - You can only call CTR encryption 2^16 times lol 22:42 - Writing some code 24:25 - Why use a separate keystream() function? 25:56 - int.to_bytes() vs struct.pack() 27:17 - Two ways of handling keystream blocks 28:31 - Using a generator function to define the keystream size implicitly 28:53 - Style note on how to use generator functions 29:15 - Implementing CTR decryption 29:45 - Finishing the challenge and recovering the plaintext Further reading: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf https://csrc.nist.gov/news/2023/decision-to-revise-nist-sp-800-38a https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ https://eprint.iacr.org/2018/159.pdf This video, and the rest of the Cryptopals Guided Tour, is licensed under the Creative Commons license CC BY 4.0, and may be shared with attribution to the author.