Paper 2020/331

The CTR mode with encrypted nonces and its extension to AE

Sergey Agievich


In the modified CTR (CounTeR) mode known as CTR2, nonces are encrypted before constructing sequences of counters from them. This way we have only probabilistic guarantees for non-overlapping of the sequences. We show that these guarantees, and therefore the security guarantees of CTR2, are strong enough in two standard scenarios: random nonces and non-repeating nonces. We also show how to extend CTR2 to an authenticated encryption mode which we call CHE (Counter-Hash-Encrypt). To extend, we use one invocation of polynomial hashing and one additional block encryption.

Note: Fix typos plus minor clarifications.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Minor revision. Preproceeding of CTCrypt'19, 8th Workshop on Current Trends in Cryptology (June 4-7, 2019, Svetlogorsk, Russia)
CTR modeauthenticated encryptionblock cipherpolynomial hashinggamma overlapping
Contact author(s)
agievich @ bsu by
2020-09-10: last of 2 revisions
2020-03-17: received
See all versions
Short URL
Creative Commons Attribution


      author = {Sergey Agievich},
      title = {The CTR mode with encrypted nonces and its extension to AE},
      howpublished = {Cryptology ePrint Archive, Paper 2020/331},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.