Does keeping IV secret increase security of CTR mode?

phantomcraft

5/28/23, 12:43 AM

Let's suppose I encrypt something with CTR mode and keep the key and IV secret.

Does keeping the IV secret together with the key increase strength of encryption?

309

0 + 0

encryption

initialization-vector

ctr

Score:5

Crypto

kelalaka

5/28/23, 12:48 AM

The only secret is the key. CTR mode has Ind-CPA security, nothing you can gain more (Ind-CCAx,...) without integrity and authentication.

If you are setting your security on the secrecy of the IV, you are on the wrong path. Just make sure that the $(key,IV)$-pair is not repeated and read more on this post.

And, with your approach, you need an additional process to transmit the IV per message;

You are somehow encrypting it, or
You use DHKE and derive key and IV from the key exchange with a KDF.

The former is problematic, the latter can increase the communication cost ( a new DHKE per encryption for new IV or Key altogether).

Do not complicate the processes, just stick to the standards that exist for many years designed and analyzed by serious cryptographers.

0 + 0

Score:5

Crypto

fgrieu

5/28/23, 9:43 AM

Does keeping the IV secret together with the key increase strength of encryption?

Very little. In particular, under a known plaintext brute-force attack, it only strengthens the key by at most about 1 bit.

Argument: given two consecutive ciphertext blocks $C_0$, $C_1$ and their matching plaintext $P_0$, $P_1$, we can rule out key $K$ if $E_K(D_K(C_0\oplus P_0)+1)\ne C_1\oplus P_1$ (where the addition is modulo $2^b$ with $b$ the block size). Block decryption $D$ is about as costly as block encryption $E$, these two operations dominate the cost, which is thus about doubled compared to a brute-force attack with known IV.

A good reason not to keep the IV secret is that it needs to be known to the receiver, thus we'd need to encrypt it, making things more complicated and harder to analyze.

0 + 0

poncho

5/28/23, 3:36 PM

Actually, in some cases, the strength addition is less than one bit. If the attacker knows some of the bits of the counter (e.g. for each message, you start the counter with the lower 32 bits as 0 for the first block), then the attacker can do a test of the intermediate value $D_k(C_0 \oplus P_0)$; that test will eliminate most of the wrong keys; the rest of the test will be run only a small fraction of the time.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does keeping IV secret increase security of CTR mode?

TH: การรักษาความลับของ IV จะเพิ่มความปลอดภัยของโหมด CTR หรือไม่

RO: Păstrarea secretului IV crește securitatea modului CTR?

RU: Повышает ли сохранение секретности IV безопасность режима CTR?

VI: Việc giữ bí mật IV có làm tăng tính bảo mật của chế độ CTR không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.