This paper proposes “Compound-CTR” mode—a simple variation of Counter mode (CTR) with an n bits block cipher. Its goal is to increase the allowed length of a single message and the total number of messages that can be encrypted under a single key.
Compound-CTR encrypts a message and a (randomly chosen) nonce with length greater or equal n bits. It uses a master key to derive a nonce-based encryption key and subsequently uses it for encrypting the message in CTR mode.
We show how Compound-CTR mode achieves its goal and explain why it can be used as a valid variation of CTR mode that could be of interest in some practical scenarios. Compared to CTR mode, the overhead of Compound-CTR is only the per-message key derivation and one extra key expansion (for the block cipher). We show here key derivation options that require only a few extra block cipher calls.
- Block ciphers
- Modes of operation
- Counter mode