Is there anything wrong with this key-check value scheme?
This question is a follow-up to an earlier question of mine. In summary, I want to devise a key-check value scheme that will enable my decryption function, when given a key K and a cyphertext C, to determine whether K is actually the key used to generate C, and to do so without having to decrypt all of C.
At the time of encryption, a key K and a nonce initialization vector IV are available (in addition to the plaintext P). Define KCV as follows:
KCV = encrypt(key=sha256(IV || K), plaintext=IV)
...where encrypt stands for AES256 encryption in ECB mode, and IV || K stands for the concatenation of IV and K. Both IV and KCV will be stored in a header right before the encrypted "payload" C.
At the time computing decrypt(key=K, header=H, ciphertext=C), the program will first read IV from the header H, use it and K to compute an expected KCV, and compare the latter with the KCV stored the header H.
Are there any obvious problems with this scheme? In particular, is there a feasible way to deduce K based on the knowledge of KCV and IV?
