for a protocol which implements AES under CBC mode, an $IV $(initialization vector) is required for each encryption. Instead of picking the $IV$ randomly, is it advisable for us to set the $IV$ to be $\text{SHA1}(k||m)$ where $k$ is the key, and $m$ is the $1^{st}$ 128 bits of the plaintext, e.g is this scheme semantically secure? Any thoughts is welcome! Thanks!
Asked
Active
Viewed 625 times
2 Answers
7
No, it's not semantically secure.
Proof: select two plaintexts with identical initial 128 bits; and present them to the Oracle to be encrypted. The resulting ciphertexts will also have identical initial 128 bits, hence the encryptor can be distinguished from something that generates random outputs.
poncho
- 154,064
- 12
- 239
- 382
0
If you use the entire message and a collision resistant hash function, you can get some form of security, but not IND-CPA (equivalent to semantic security). The IND-CPA game is mostly used with public key encryption, and with symmetric encryption the attacker is given access to an encryption oracle. Then any kind of deterministic encryption automatically fails, because the attacker can just ask the oracle for encryptions for both ciphertexts and the challenge is one of those.
If you make the attacker weaker by not allowing the attacker to query the chosen plaintexts, this would work. ´But I don't think this is actually a commonly used security definition.
If you just have preimage resistance and no collision resistance, there might be other problems - but that depends on how collisions can be found, which makes formal analysis difficult.
But the point about collision resistance is a strong case against SHA-1, which has been considered broken for a long time w.r.t. collision resistance. (And now in Feb 2017, a collision was found). And in general, a new protocol should never be build on outdated (almost obsolete) cryptographic functions.
- This question adresses when it is okay to use SHA-1 and when not.
- This article by Bruce Schneier from 2012 is also quite interesting, stating a complexity of roughly $2^{60}$ to find a collision.
- And the here you can see that the bitcoin network hash rate is around $2 \cdot 10^{18} \approx 2^{60.79}$ per second (even if other specialized hardware would be required, because they do SHA 256 hashes)
