In which cases AES doesn't need IV?
Clash Royale CLAN TAG#URR8PPP
$begingroup$
I was trying to decrypt a text encrypted with AES and ECB mode.
I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)
My question is in which cases IV is needed and in which is not?
aes ecb
$endgroup$
add a comment |
$begingroup$
I was trying to decrypt a text encrypted with AES and ECB mode.
I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)
My question is in which cases IV is needed and in which is not?
aes ecb
$endgroup$
add a comment |
$begingroup$
I was trying to decrypt a text encrypted with AES and ECB mode.
I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)
My question is in which cases IV is needed and in which is not?
aes ecb
$endgroup$
I was trying to decrypt a text encrypted with AES and ECB mode.
I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)
My question is in which cases IV is needed and in which is not?
aes ecb
aes ecb
edited Jan 30 at 6:14
forest
4,0781540
4,0781540
asked Jan 28 at 18:56
Philippe DelteilPhilippe Delteil
1085
1085
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
A quick list from Wikipedia;
- ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.
- CBC : uses IV
- PCB : uses IV
- CFB : uses IV
- CTR : uses IV
- OFB : uses IV
- GCM : uses IV
- CCM : uses IV
- ....
In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.
$endgroup$
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
|
show 3 more comments
$begingroup$
There is a mode of AES that can survive without an IV under certain assumptions.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.
Looking for encryption algorithm not subject to known-plaintext attack with IV reuse
$endgroup$
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66856%2fin-which-cases-aes-doesnt-need-iv%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
A quick list from Wikipedia;
- ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.
- CBC : uses IV
- PCB : uses IV
- CFB : uses IV
- CTR : uses IV
- OFB : uses IV
- GCM : uses IV
- CCM : uses IV
- ....
In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.
$endgroup$
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
|
show 3 more comments
$begingroup$
A quick list from Wikipedia;
- ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.
- CBC : uses IV
- PCB : uses IV
- CFB : uses IV
- CTR : uses IV
- OFB : uses IV
- GCM : uses IV
- CCM : uses IV
- ....
In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.
$endgroup$
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
|
show 3 more comments
$begingroup$
A quick list from Wikipedia;
- ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.
- CBC : uses IV
- PCB : uses IV
- CFB : uses IV
- CTR : uses IV
- OFB : uses IV
- GCM : uses IV
- CCM : uses IV
- ....
In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.
$endgroup$
A quick list from Wikipedia;
- ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.
- CBC : uses IV
- PCB : uses IV
- CFB : uses IV
- CTR : uses IV
- OFB : uses IV
- GCM : uses IV
- CCM : uses IV
- ....
In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.
edited Jan 28 at 20:55
answered Jan 28 at 19:10
kelalakakelalaka
7,77522248
7,77522248
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
|
show 3 more comments
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
2
2
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
$endgroup$
– Agent_L
Jan 28 at 22:54
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
$endgroup$
– Joshua
Jan 28 at 22:55
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
$begingroup$
"ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
$endgroup$
– kelalaka
Jan 29 at 9:31
1
1
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
$begingroup$
You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
$endgroup$
– forest
Jan 30 at 6:17
1
1
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
$begingroup$
@Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
$endgroup$
– forest
Jan 30 at 6:21
|
show 3 more comments
$begingroup$
There is a mode of AES that can survive without an IV under certain assumptions.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.
Looking for encryption algorithm not subject to known-plaintext attack with IV reuse
$endgroup$
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
add a comment |
$begingroup$
There is a mode of AES that can survive without an IV under certain assumptions.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.
Looking for encryption algorithm not subject to known-plaintext attack with IV reuse
$endgroup$
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
add a comment |
$begingroup$
There is a mode of AES that can survive without an IV under certain assumptions.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.
Looking for encryption algorithm not subject to known-plaintext attack with IV reuse
$endgroup$
There is a mode of AES that can survive without an IV under certain assumptions.
https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.
Looking for encryption algorithm not subject to known-plaintext attack with IV reuse
answered Jan 28 at 23:01
JoshuaJoshua
240211
240211
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
add a comment |
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
2
2
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
XTS uses sector numbers as an IV.
$endgroup$
– kelalaka
Jan 29 at 9:26
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
@kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
$endgroup$
– Joshua
Jan 29 at 14:28
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
$begingroup$
The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
$endgroup$
– kelalaka
Jan 29 at 14:45
1
1
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
$begingroup$
@Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
$endgroup$
– forest
Jan 30 at 6:19
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66856%2fin-which-cases-aes-doesnt-need-iv%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown