gaytabase6d ago

ECB and CTR cryptographically secure pseudorandom number generators

i uh... ECB??? cryptographically secure????

ECB?!?!

Show threadGraham Sutherland / Polynomial
@dysfun ECB for a CSPRNG can still be fine, depending on how it's used.
Mar 26 at 1:25pmWeb
Show threadgaytabase6d ago
@gsuberland i'm scared, graham
Show threadGraham Sutherland / Polynomial6d ago
@dysfun I've used ECB in actual cryptosystems in the last year, even. it's still a useful mode for *very* specific use cases. but you need to know for 100% sure you're not violating a security expectation, otherwise you're fuuuuucked lol
Show threadMarsh Ray6d ago
@gsuberland @dysfun Seems like using ECB in a CSPRNG would require ensuring (@ P < ~2^-128) no duplicate PT blocks?
…which effectively means CTR mode.
Show threadGraham Sutherland / Polynomial6d ago
@marshray @dysfun yeah you basically end up using ECB as a primitive to build a custom mode.
Show threadMarsh Ray6d ago
@gsuberland @dysfun It’s totally justifiable to use “ECB mode” as simply the API to parallelizable block cipher application.
Show threadGraham Sutherland / Polynomial6d ago
@marshray @dysfun hmm. generally you don't want to be doing ECB on anything but a single block per key, but I think we're getting into the weeds a bit.
Show threadMarsh Ray6d ago
@gsuberland @dysfun My point is simply that if we apply a block cipher to a proper sequence of values and XOR the result then that’s CTR mode, even if an API having the letters “ecb” in its name is used.
Show threadGraham Sutherland / Polynomial6d ago
@marshray @dysfun oh, right. I guess? but that's really just AES or whatever as a primitive.