Score:0

AES-CTR: using the same key and IV with unique messages

ng flag

I have short (8-byte) messages which are effectively true random numbers, and I want to encrypt these messages with a (pre-shared) key....

I'm using AES-CTR for this purpose -- but with the SAME IV each time (which is seemingly contrary to best practice).... but since EVERY message that I'll encrypt with this key is unique, do I really have a security issue?

SAI Peregrinus avatar
si flag
How many messages do you have, at most, before you get a new key?
biosbob avatar
ng flag
if my 8-byte random numbers are truly random, then i should (in theory) be able to use the SAME key 2**64 times.... in practice, i'll encrypt under 1000 random messages during the lifetime of this key....
kelalaka avatar
in flag
Does this answer your question? [Why must IV/key-pairs not be reused in CTR mode?](https://crypto.stackexchange.com/questions/2991/why-must-iv-key-pairs-not-be-reused-in-ctr-mode)
Maarten Bodewes avatar
in flag
First of all, if you have space for it, then just use a mode of operation that has an IV. Otherwise you might want to look at an 64 bit block cipher (e.g. blowfish). You could use ECB mode. Or you could even use a modern cipher using Format Preserving Encryption. Much safer, only duplicates will show up. A key wrapping mode or AES-SIV would also work, but those will grow your ciphertext compared to the plaintext.
Score:2
ru flag

Yes, this is an issue. Essentially you are encrypting each 8-bytes by XORing it with the same secret key. If we write $P_i$ for the true random 8-byte values, then the cipher texts are $C_i=P_i\oplus K$ for some fixed 8-byte value $K$.

Compromise of any one of the $(P_i,C_i)$ pairs will now compromise all of the pairs as $K$ can be recovered and the same $K$ is used for all pairs.

Moreover if there is any bias in your "effective" randomness, this will lead to bias in the cipher texts which in turn will reveal information about the corresponding plaintext.

biosbob avatar
ng flag
make sense... but suppose i sent an incrementing counter in the clear with each encrypted message and that (unique) value was injected into the IV used by both parties, am i now back on more familiar ground????
Daniel S avatar
ru flag
Yes, this will produce a different $K_i$ for each $P_i$ and the block cipher should prevent an attacker from working out any relationship between them. You might want to worry about an active attacker modifying the ciphertexts (XORing some value onto the ciphertext would XOR the recovered plaintext by the same amount and would not be a priori detectable).
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.