为什么这个 AES CTR 解密没有按预期工作？

Question

I'm trying to figure out what I'm doing wrong here. I'm doing the cryptography challenges over at CryptoPals.com and this particular one has me stumped. It asks for me to create my own implementation of CTR with the following parameters:

key=YELLOW SUBMARINE
      nonce=0
      format=64 bit unsigned little endian nonce,
             64 bit little endian block count (byte count / 16)

I've actually done the challenge successfully but I can't figure out how to do it using a library. I wanted to compare the two. I've tried PyCrypto and I've tried cryptography.hazmat. They always produce a different result. I was hoping someone could spot what I was doing wrong.

This is my most recent attempt with Crypto.Cipher:

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
from Crypto.Cipher import AES
from Crypto.Util import Counter
import base64


class Custom_CTR:

    def __init__(self, key):
        self.aes_custom = Cipher(algorithms.AES(key), modes.ECB(), default_backend())

    def custom_aes_128_ctr_keystream_generator(self, nonce, counter):
        while True:
            to_encrypt = (nonce.to_bytes(length=8, byteorder='little')
                          + counter.to_bytes(length=8, byteorder='little'))
            encryptor = self.aes_custom.encryptor()
            keystream_block = encryptor.update(to_encrypt) + encryptor.finalize()
            yield from keystream_block
            counter += 1

    def custom_aes_128_ctr_encrypt(self, nonce, counter, data):
        result = b''
        my_gen = self.custom_aes_128_ctr_keystream_generator(nonce, counter)
        for i in range(len(data)):
            result += bytes([next(my_gen) ^ data[i]])
        return result


def pycrypto_aes_128_ctr_encrypt(key, data):
    _ctr = Counter.new(128, initial_value=0, little_endian=True)
    aes = AES.new(key, AES.MODE_CTR, counter=_ctr)
    return aes.encrypt(data)


k = b'YELLOW SUBMARINE'
ctr = Custom_CTR(k)
enc = base64.b64decode(b'L77na/nrFsKvynd6HzOoG7GHTLXsTVu9qvY/2syLXzhPweyyMTJULu/6/kXX0KSvoOLSFQ==')
print('custom ctr:', ctr.custom_aes_128_ctr_encrypt(0, 0, enc))
print('hazmat ctr:', pycrypto_aes_128_ctr_encrypt(k, enc))

Produces

custom ctr: b"Yo, VIP Let's kick it Ice, Ice, baby Ice, Ice, baby "
hazmat ctr: b"Yo, VIP Let's kic\x84q\x97A\xae\xdcZ@\xf2\xc4\xafc\xb1\xd8\xad8\xfb|\xb4\xd4\x17\x95\x9cX\x0ff\xb6\xf3\xb8\xb3Z\xfe\xff\x9b6"

Answer 1

Nevermind, I just solved it.

def pycrypto_aes_128_ctr_encrypt(key, data):
    _ctr = Counter.new(64, initial_value=0, prefix=b'\x00'*8, little_endian=True)
    aes = AES.new(key, AES.MODE_CTR, counter=_ctr)
    return aes.encrypt(data)

Looks like this generates the parameters that I'm looking for. The counter is 8 bytes and the prefix (nonce) is 8 bytes.