12

I want to encrypt a file with AES in CTR mode. I have a 256 bit master key and the file. Given these, the encryption must be deterministic, so I can't use a random nonce in the usual way. Fortunately the master key will be unique¹.

My original plan was to simply set the nonce to 0. Assuming no collision happens when deriving the 128 bit AES key from the master key, this should as secure as conventional CTR, where the nonce is prepended to the message.

An alternative plan is to also derive the nonce from the master-key. This seems to offer two advantages:

  1. It makes key-nonce pair reuse more unlikely, since now they have 256 bits and not just 128
  2. It prevents some kinds of known-plaintext attacks, since the attacker now doesn't know the content of the counter-stream, effectively turning the nonce into some kind of secondary key.

Is there a problem with either scheme? Is the second scheme better than the first?

¹ assuming the 256 bit hashfunction I use is collision free

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129

1 Answers1

10

Assuming that you can indeed guarantee that the keys will never be reused, both schemes should be secure.

The only requirement for the nonce in CTR mode is that it must be unique (and, if used directly as the initial counter value, not equal to any intermediate counter value used in the past or in the future). If you're only encrypting one message with a given key, the nonce $0$ is as unique as any other.

As you correctly note, your second scheme provides somewhat less information to an attacker who can guess some of the plaintext. (Reading between the lines in your question, I'm assuming you're not planning to store the nonce along with the ciphertext, but to re-derive it from the master key on decryption.) Whether it's "better" is hard to say — it only makes a difference if the cipher you're using is broken, and at that point it will depend on just how it's broken — but it's at least unlikely to be worse.

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189