Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [convergent-encryption]

Convergent encryption, also known as content hash keying, is simply encrypting a file using a symmetric encryption key which is the secure hash of the plaintext of the file.

Convergent encryption, also known as content hash keying, was first mentioned by John Pettitt on the cypherpunks list in 1996, was used by Freenet and Mojo Nation in 2000, and was analyzed in a technical report by John Doceur et al. in 2002. Today it is used by at least Freenet, GNUnet, flud, Tahoe Least-Authority Filesystem, BitCasa, etc.

Convergent encryption is simply encrypting a file using a symmetric encryption key which is the secure hash of the plaintext of the file.

This has useful properties like allowing to deduplicate ciphertexts, but at the same time makes it vulnerable to confirmation-of-a-file attack and learn-partial-information attack. This attack and some mitigations have been proposed in Tahoe-LAFS mailing list entry in 2008.

13 questions
42
votes
6 answers

Is Convergent Encryption really secure?

Recently a company called Bitcasa demonstrated a product of cloud storage. they indicated that they would use "Convergent Encryption" to secure your data and de-duplicate, essentially one copy of the same file between users. From what I can read on…
Justin King
  • 523
  • 1
  • 5
  • 5
21
votes
4 answers

Is it safe to use file's hash as IV?

I'm encrypting some files using AES in CBC mode. I'm also using file's digest (SHA-1) to check that data is decrypted correctly (so I need to store it with file). Is it safe to use this digest as AES's IV and store it in the header of file? Or it…
Ariyan
  • 361
  • 3
  • 8
12
votes
1 answer

Deterministic nonces in CTR mode

I want to encrypt a file with AES in CTR mode. I have a 256 bit master key and the file. Given these, the encryption must be deterministic, so I can't use a random nonce in the usual way. Fortunately the master key will be unique¹. My original plan…
CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
11
votes
1 answer

Does AES-CTR require an IV for any purpose other than distinguishing identical inputs?

I'd like to encrypt files deterministically, such that any users encrypting the same plaintext will use the same key and end up with the same ciphertext. The ciphertext should be private as long as the plaintext is. I plan to use AES-128-CTR with an…
user1114
  • 855
  • 2
  • 10
  • 26
7
votes
2 answers

Provable Encryption

Is it possible to encrypt data in a way that it can be proven that the data is encrypted, without revealing the key? Alice chooses some plaintext, then she encrypts it with a certain scheme. She also creates a proof that she the cypher text was…
Quad
  • 87
  • 2
4
votes
1 answer

Safety of encrypting a plaintext with its hash as the key

What are the safety issues of using the the hash of plaintext as the key to encrypt it? The first that comes to mind is that if I can guess an approximation or part of the plain text, brute force attack complexity will be reduced considerably.…
user3368561
  • 623
  • 5
  • 13
4
votes
0 answers

Can convergent encryption be turned into deterministic authenticated encryption with HMAC?

If you take a convergent encryption algorithm and replace the hash $H$ used to derive the key with HMAC-H, keyed with a secret key $k'$, does the resulting algorithm provide you with deterministic authenticated encryption? By convergent encryption I…
otus
  • 32,462
  • 5
  • 75
  • 167
4
votes
1 answer

Convergent Encryption: integrity and authenticity

I have one question about convergent encryption. Suppose I use AES-256 in CBC mode. I need a 256 bits key and a 128 bits IV. If I use SHA-256 to hash one file, then I can use directly that hash as the key. When decryption occurs, is integrity and…
Kingland
  • 97
  • 3
3
votes
1 answer

Is there a known vulnerability when using identical key and salt with PBKDF2?

For optimum security, a random salt should be chosen for PBKDF2. I came across a scenario where I produce a hash of a random file that serves as the "password". Due to the nature of files, this has similar entropy issues as a "normal" password.…
emboss
  • 263
  • 1
  • 8
2
votes
4 answers

Looking for cryptographic secure hash algorithm(s) that produces identical root hash for differently sliced hash list

I have a scenario similar to the one described in Wikipedia: hash list, but with a twist. I'm looking for a cryptographically secure hash function that would create the same root hash for the same file, no matter how the the file is chopped up for…
user12889
  • 145
  • 4
1
vote
1 answer

are there more efficient methods than HMAC to achieve convergent encryption?

I’m thinking about the convergent encryption system described in the top answer to this question. However, it seems like preferred modern HMAC algorithms like HMAC-SHA256 (as used in step 2 to create the “key”) are much slower than the actual…
Dan
  • 125
  • 5
1
vote
1 answer

Are convergently-encrypted ciphertexts safe from collision attacks?

Convergent encryption uses a message digest of the plaintext as the key to encrypt the plaintext to produce the ciphertext. This is useful for automatic content sharing because it produces a deterministic ciphertext between unrelated parties who…
N. Arendse
  • 11
  • 4
1
vote
0 answers

Convergent encryption has dictionary attack, but why hash function doesn't?

Convergent encryption (CE), $E_k(d)$, is a way to encrypt the data $d$, with the characteristic that the encryption key $k$ is $k=h(d)$, where $h(\cdot)$ is a cryptographic hash function. Consider a cloud storage with client-side deduplication. The…
user4478
  • 199
  • 1