Would it be safe to use a CTR mode this way: exchange the nonce with DH but the counter is send unencrypted together with the encrypted data.
haven't seen anything about this. IV's don't need to be secret but how is this with the nonce and counter?
i don't see a problem there as long as i use a decent encryption algorithm and use nonce + counter only ones, but incrementing only one bit for each packet in the counter makes me feel odd.
The nonce does not need to be secret and keeping it secret adds no security.
According to Wikipedia, many others also felt uneasy about counter mode, but by now, "CTR mode is widely accepted, and problems resulting from the input function are recognized as a weakness of the underlying block cipher instead of the CTR mode."