Score:2

Does encryption of many files shorten the list of possible passwords?

br flag

Hopefully this question is not duplicative, nor its answer too elementary.

Suppose I have a file. I encrypt it, using a password. The password presumably stipulates a pattern or relationship between the file in its pre-encryption (A1) and post-encryption (B1) forms. But that pattern or relationship is indeterminate. Depending upon the complexity of the password, there could be a vast number of possible explanations for how the password helped to convert A1 to B1.

Suppose I encrypt another file, using the same password. I have examined the A1-B1 relationship; now I examine the A2-B2 relationship. Some possible explanations of the A1-B1 conversion will not explain the A2-B2 conversion.

Does the encryption of multiple files, using the same password, significantly reduce the number of passwords that could account for the differences between those files' pre- and post-encryption forms?

Score:2
ng flag

That depends on length of A1, and on the encryption algorithm. For very short A1, yes additional plaintext/ciphertext pair A2-B2 restricts the set of possible passwords.

For example, if the encryption algorithm is AES-256-CTR with competent key stretching with e.g. Argon2 to produce it's 256-bit key, and A1 is $n_1$-byte with $0\le n_1\le30$, then approximately one password out of $2^{(8\,n_1)}$ will decipher B1 into A1. When A2 is $n_2$-byte with $0\le n_1+n_2\le30$, then approximately one password out of $2^{(8\,n_1+8\,n_2)}$ will decipher B1 into A1 and B2 into A2, which is a much lesser fraction of passwords when $n_2\ne0$. For $n_1\le3$ this is easily verified experimentally.

With this same encryption system, when $n_1\ge35$, it becomes quite likely there's a single 256-bit AES key that deciphers B1 into A1, there are about one password in $2^{256}$ that yield this key after key stretching, and adding B2 won't change that.

Most common encryption algorithms accepting password as key input have some internal limit on key length even when the password does not; like 256-bit in the above example. But for good algorithms, that limit is above the threshold where that has any practical impact on security.

I have not covered encryption with padding like CBC, which complicates the analysis; nor authenticated encryption, where by design each encryption rules out the overwhelming majority of passwords.

Score:2
ph flag

The short answer is: no, the second file probably doesn't make a difference. This is because 1) what is significant for your question is the amount of data encrypted and not the number of files and 2) it doesn't require much data (about 64 bytes, see below) to uniquely fix the key, so it's likely that a single file is large enough. Only in the case where the first file is so small that it doesn't fill 2 blocks is there more information for a second file to provide.

The way a program would typically provide password-based file encryption is to first convert the password into a key, using a PBKDF. Then it would use that key to encrypt the file, block by block. For the sake of simplicity, let's say that the key and block are both 256 bits. If we consider just the first encrypted block of the file, it is possible (about 1 chance in 3) that there is another key that encrypts that block the same way. When we consider the second block, there is virtually no chance that there is another key that encrypts both blocks the same. So once 2 blocks (64 bytes) have been encrypted, there is only a single key that can have performed that particular transformation. Therefore, as long as the first file is not very small, there are no constraints to be added.

Now, that's about the key, and your question is about the password. Normally, an encryption program will consistently use the same PBKDF, which means the same password will always produce the same key. And as above, there isn't any additional constraint revealed.

It's worth emphasizing that these constraints are all very theoretical. Even though there is a single possible key, the problem of determining it is intractable - that's the point of a secure algorithm. And the PBKDF is typically designed so that even if you knew the key, you could not reverse-engineer the password.

fgrieu avatar
ng flag
That does not hold for very short files under many common encryption modes, including CTR, CFB and OFB. In particular, if you encrypt a single-byte file, one out of about 256 passwords will correctly decrypt it. For CBC and padding modes where the last byte encodes how many bytes to suppress, the fraction is different, but the effect remains easy to observe.
ph flag
I called out that it takes two blocks, but you're right that it's a good idea to raise that more explicitly in the beginning.
Score:1
in flag

No, it doesn't reduce the number of passwords that could be used.

Generally a password is used to derive a symmetric key. It is good practice to use a Password Based Key Derivation Method (PBKDF) for that. Usually that PBKDF uses a salt and work factor (and possibly other parameters). The salt - which is included with the ciphertext - makes sure that the key always differs, even if the same password is used. Furthermore, the PBKDF is a one-way password hash, so it is also impossible to get from the key, other than to try every password. Furthermore, the key in itself is protected by the cipher used; it therefore should remain protected even if multiple plaintext / ciphertext pairs are known.

As a PBKDF is a password hash with a specific capacity as well as output size, it may be that multiple passwords hash to the same value. However, this is by chance, and finding them is next to impossible. Generally, if a dictionary attack is used then you can assume that the password is guessed correctly if the correct key is found. Having multiple ciphertext to compare against doesn't make a difference.


Note that this is about best practice symmetric encryption. If you'd use e.g. the Vigenere cipher then yes, encrypting with the same password would break the entire scheme.

Furthermore, you could e.g. encrypt a private key instead and use the corresponding public key to encrypt files. In that case you'd only need the password when decrypting files.


Finally, if the same key is used to encrypt a file then having many, many blocks of plaintext data may make a difference; some information may leak e.g. if to CBC block encrypts will generate the same ciphertext (meaning that the input block is also identical). Or when the counter used within CTR encryption is overflowing, etc. etc. However, as stated, usually you'd still use different keys, even if the same password is used. In that case the only limiting factor is the message / file size.

fgrieu avatar
ng flag
It's silently assumed files are large, which is unstated in the question.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.