Quiz Entry - updated: 2026.06.24
Why can't OFB and CTR modes use the same (Key, IV) pair for different messages?
Because they would generate the identical keystream, and XOR-ing two ciphertexts would cancel the keystream and reveal the XOR of the two plaintexts — the same two-time pad attack as with stream ciphers.
The attack:
C1 = M1 ⊕ S (S = keystream from (K, IV))
C2 = M2 ⊕ S (same keystream!)
C1 ⊕ C2 = M1 ⊕ M2
This is exactly the OTP reuse problem. Once an attacker has M1 ⊕ M2, crib dragging can recover both plaintexts.
Prevention:
- OFB: Use a new random IV for each message
- CTR: Use a new nonce for each message (the counter part increments within a message, but the nonce must be unique across messages)
- In practice, use a 96-bit random nonce + 32-bit counter (as in AES-GCM)
Tip: Any mode that acts as a stream cipher (OFB, CTR) inherits the stream cipher's fatal weakness: keystream reuse = total break.