LOGBOOK

HELP

Quiz Entry - updated: 2026.06.24

Why can't OFB and CTR modes use the same (Key, IV) pair for different messages?

Because they would generate the identical keystream, and XOR-ing two ciphertexts would cancel the keystream and reveal the XOR of the two plaintexts — the same two-time pad attack as with stream ciphers.

The attack:

C1 = M1 ⊕ S    (S = keystream from (K, IV))
C2 = M2 ⊕ S    (same keystream!)
C1 ⊕ C2 = M1 ⊕ M2

This is exactly the OTP reuse problem. Once an attacker has M1 ⊕ M2, crib dragging can recover both plaintexts.

Prevention:

  • OFB: Use a new random IV for each message
  • CTR: Use a new nonce for each message (the counter part increments within a message, but the nonce must be unique across messages)
  • In practice, use a 96-bit random nonce + 32-bit counter (as in AES-GCM)

Tip: Any mode that acts as a stream cipher (OFB, CTR) inherits the stream cipher's fatal weakness: keystream reuse = total break.

From Quiz: KRYPTOG / Symmetric Cryptography | Updated: Jun 24, 2026