1

I am aware of the requirement of an IV to be unique in CTR mode (Why must IV/key-pairs not be reused in CTR mode?). However I wonder if I can use an IV depending on the plaintext deterministically. This means, of course, that the whole encryption is deterministic, which is what I want.

In the following scenario:

$C_1 = ENC_{AES-CTR}(K, P_1, IV(P_1))$

$C_2 = ENC_{AES-CTR}(K, P_2, IV(P_2))$

If $P_1 = P_2$

then $C_1 = C_2$

then $C_1 \oplus C_2 = C_1 \oplus C_1 = 0$, which essentially doesn't mean anything other than $P_1 = P_2$, which we already knew, as we're talking about deterministic encryption.

The question is: Is, by definition, the use of an IV for the same plaintext a re-use? If not, will a strong hash function be suitable to derive an IV from the plaintext? (Similar question: Security of this deterministic encryption scheme)

I'd like to use SIV mode, but it's not available in neither of the different platforms involved.

Edit: Some more information about my plaintext: I want to encrypt filenames. This means the plaintext is short, might consist of known words, has little entropy and sometimes fits into a single block. As already said before, I want equal plaintext filenames to result in equal ciphertexts.

Edit 2: All information needed for decryption must be contained in the resulting ciphered filename, e.g. as a prefix. Due to length constraints on certain file systems this prefix should be as short as possible.

Community
  • 1
Sebastian S
  • 125
  • 6

2 Answers2

2

I cannot prove that your scheme is secure, but as far as I know, a non-cryptographic hash function would work fine as there is an infinite number of inputs to any given hash, making it impossible to bruteforce all but the shortest messages (which would be an issue for short messages, you may want to append some sort of 128-bit padding).

However, that said, 128-bit block ciphers begin to lose security after $2^{64}$ blocks, as the number of collisions increase. In CBC mode, subsequent blocks use the previous block as an IV. If two blocks have the same output, that means that the two previous blocks XORed together will equal the two plaintexts XORed together.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
user3201068
  • 721
  • 1
  • 5
  • 18
1

You want convergent encryption. I recommend you use an existing scheme for convergent encryption, such as the scheme used by Tahoe-LAFS, rather than trying to invent your own. There are multiple such schemes.

See also https://tahoe-lafs.org/hacktahoelafs/drew_perttula.html.

D.W.
  • 36,982
  • 13
  • 107
  • 196