0

There are a few questions on this site asking about reusing the same initialization vector for example for AES encryption under the same key, see for example this question.

Now, let's not respect that advice and reuse an IV. However, to make it a bit more complicated, let's use a different key. For example both of these keys could be derived from a password using different salts or similar methods.

Is it safe to reuse an IV for different keys? For example, does that compromise the plaintext message or the keys?

HerpDerpington
  • 225
  • 2
  • 8
  • 1
    Not a cryptographer, but the problem is generally reusing the same key-IV **pair**. If one of them is different, you should be fine. – nobody May 16 '21 at 17:43
  • That will be a **broad question without the mode of operation** From [crypto.se] (1) [AES CBC with unique key per message, but fixed IV](https://crypto.stackexchange.com/q/48649/18298). (2) [Comparing the security when using fixed IV for CBC and CTR](https://crypto.stackexchange.com/q/89253/18298), (3)[When it is safe to reuse IV? (or not using at all)](https://crypto.stackexchange.com/q/54980/18298) – kelalaka May 16 '21 at 20:12
  • Why is this question voted to move to Crypto.SE? Sounds like the asker wants to know about usage, not internals. – multithr3at3d May 22 '21 at 04:12

1 Answers1

1

Whether using a fixed IV is acceptable depends on the mode of operation you're using. Some modes only require that the IV be unique under a given key, such as CTR mode, while others, such as CBC, require an unpredictable IV. Attacks on CBC are known with predictable IVs.

The adaptive chosen plaintext attack mentioned exposes the plaintext, but not the keys. In general, a secure block cipher itself should not be vulnerable to exposing the keys even if some correspondence between the plaintext and ciphertext is known, which is usually what happens with IV misuse. I'm not personally aware of any common AEAD modes which require an unpredictable IV, but in general IV misuse with AEAD modes can compromise both confidentiality (expose the plaintext) and integrity (permit tampering).

The easiest way to avoid reusing an IV in this way is to take the random value you would normally use for the key and run it through a key derivation function (KDF), like HKDF, to derive both a secret key and an IV. If you're already using a password-based KDF to generate the key, you can also generally generate the IV using the same KDF. Since this is so easy to do, there's little reason to reuse an IV in a practical environment.

bk2204
  • 8,695
  • 20
  • 19