AES-CTR: using the same key and IV with unique messages

biosbob

10/27/23, 2:20 PM

I have short (8-byte) messages which are effectively true random numbers, and I want to encrypt these messages with a (pre-shared) key....

I'm using AES-CTR for this purpose -- but with the SAME IV each time (which is seemingly contrary to best practice).... but since EVERY message that I'll encrypt with this key is unique, do I really have a security issue?

140

1 + 4

aes

ctr

SAI Peregrinus

10/27/23, 3:47 PM

How many messages do you have, at most, before you get a new key?

biosbob

10/27/23, 4:35 PM

if my 8-byte random numbers are truly random, then i should (in theory) be able to use the SAME key 2**64 times.... in practice, i'll encrypt under 1000 random messages during the lifetime of this key....

kelalaka

10/27/23, 11:43 PM

Does this answer your question? [Why must IV/key-pairs not be reused in CTR mode?](https://crypto.stackexchange.com/questions/2991/why-must-iv-key-pairs-not-be-reused-in-ctr-mode)

Maarten Bodewes

10/30/23, 8:47 PM

First of all, if you have space for it, then just use a mode of operation that has an IV. Otherwise you might want to look at an 64 bit block cipher (e.g. blowfish). You could use ECB mode. Or you could even use a modern cipher using Format Preserving Encryption. Much safer, only duplicates will show up. A key wrapping mode or AES-SIV would also work, but those will grow your ciphertext compared to the plaintext.

Score:2

Crypto

Daniel S

10/27/23, 4:33 PM

Yes, this is an issue. Essentially you are encrypting each 8-bytes by XORing it with the same secret key. If we write $P_i$ for the true random 8-byte values, then the cipher texts are $C_i=P_i\oplus K$ for some fixed 8-byte value $K$.

Compromise of any one of the $(P_i,C_i)$ pairs will now compromise all of the pairs as $K$ can be recovered and the same $K$ is used for all pairs.

Moreover if there is any bias in your "effective" randomness, this will lead to bias in the cipher texts which in turn will reveal information about the corresponding plaintext.

+ 2

biosbob

10/27/23, 4:44 PM

make sense... but suppose i sent an incrementing counter in the clear with each encrypted message and that (unique) value was injected into the IV used by both parties, am i now back on more familiar ground????

Daniel S

10/27/23, 4:48 PM

Yes, this will produce a different $K_i$ for each $P_i$ and the block cipher should prevent an attacker from working out any relationship between them. You might want to worry about an active attacker modifying the ciphertexts (XORing some value onto the ciphertext would XOR the recovered plaintext by the same amount and would not be a priori detectable).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AES-CTR: using the same key and IV with unique messages

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.