11

I'd like to encrypt files deterministically, such that any users encrypting the same plaintext will use the same key and end up with the same ciphertext. The ciphertext should be private as long as the plaintext is.

I plan to use AES-128-CTR with an IV of 0 and the SHA-256 of the plaintext as the key.

IV values are required to produce different output with the same key, but I am explicitly avoiding that behaviour here. I have heard that some ciphers/modes of operation also require the IV to provide randomness for the algorithm and that using an unrandom value (like zero) can be dangerous.

Aside from the repeatable output, is there any danger in using AES-128-CTR with an IV of zero?

Having done a bit more reading, here's my current understanding; verification or corrections appreciated:

NIST SP800-38A §6.5 describes CTR mode as just XORing each plaintext block with the result of ciphering the counter value with the key (where the initial counter value is called the IV).

If the a key is reused with the same IV (or a numerically-close one), this will will produce duplicate values in the stream with which your plaintext is hashed. This presents a large weakness to any attacker who can obtain multiple ciphertexts.

In my specific case, because I'm using a key that's unique to the plaintext it will have a unique stream of data to be XORed with the plaintext, making it secure.

The choice of zero for the IV is as theoretically dangerous as any other constant.

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
user1114
  • 855
  • 2
  • 10
  • 26

1 Answers1

8

Well, no, in your case, a constant IV is not a problem. With counter mode, the rule is that you cannot reuse the same IV with the same key. However, it is perfectly fine to use the same IV with different keys, and that's what you're doing.

One minor correction to what you have (that doesn't directly relate to your question): you state that there are problems if "a key is used with the same (or a numerically-close one). Actually, as long as the IVs are different, "numerically-close" IVs are not an issue. In fact, it is actually pretty common to select counter mode IVs using a message counter (e.g. the first message gets IV 0, and second one gets IV 1, etc.)

However, I do have one question: how do you expect someone to decrypt the ciphertext? If what you're doing is generating a hash of the plaintext, why don't you just go with the SHA-256 hash of the plaintext?

poncho
  • 154,064
  • 12
  • 239
  • 382