In which cases AES doesn't need IV?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1












$begingroup$


I was trying to decrypt a text encrypted with AES and ECB mode.



I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)



My question is in which cases IV is needed and in which is not?










share|improve this question











$endgroup$
















    1












    $begingroup$


    I was trying to decrypt a text encrypted with AES and ECB mode.



    I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)



    My question is in which cases IV is needed and in which is not?










    share|improve this question











    $endgroup$














      1












      1








      1





      $begingroup$


      I was trying to decrypt a text encrypted with AES and ECB mode.



      I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)



      My question is in which cases IV is needed and in which is not?










      share|improve this question











      $endgroup$




      I was trying to decrypt a text encrypted with AES and ECB mode.



      I did try several key and IV. I solved it by ignoring IV. (The IV was given, but it was maybe a distractor)



      My question is in which cases IV is needed and in which is not?







      aes ecb






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 30 at 6:14









      forest

      4,0781540




      4,0781540










      asked Jan 28 at 18:56









      Philippe DelteilPhilippe Delteil

      1085




      1085




















          2 Answers
          2






          active

          oldest

          votes


















          3












          $begingroup$

          A quick list from Wikipedia;



          • ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.

          • CBC : uses IV

          • PCB : uses IV

          • CFB : uses IV

          • CTR : uses IV

          • OFB : uses IV

          • GCM : uses IV

          • CCM : uses IV

          • ....

          In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.






          share|improve this answer











          $endgroup$








          • 2




            $begingroup$
            ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
            $endgroup$
            – Agent_L
            Jan 28 at 22:54










          • $begingroup$
            Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
            $endgroup$
            – Joshua
            Jan 28 at 22:55










          • $begingroup$
            "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
            $endgroup$
            – kelalaka
            Jan 29 at 9:31






          • 1




            $begingroup$
            You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
            $endgroup$
            – forest
            Jan 30 at 6:17







          • 1




            $begingroup$
            @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
            $endgroup$
            – forest
            Jan 30 at 6:21



















          0












          $begingroup$

          There is a mode of AES that can survive without an IV under certain assumptions.



          https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS



          In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.



          Looking for encryption algorithm not subject to known-plaintext attack with IV reuse






          share|improve this answer









          $endgroup$








          • 2




            $begingroup$
            XTS uses sector numbers as an IV.
            $endgroup$
            – kelalaka
            Jan 29 at 9:26











          • $begingroup$
            @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
            $endgroup$
            – Joshua
            Jan 29 at 14:28










          • $begingroup$
            The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
            $endgroup$
            – kelalaka
            Jan 29 at 14:45







          • 1




            $begingroup$
            @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
            $endgroup$
            – forest
            Jan 30 at 6:19











          Your Answer





          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66856%2fin-which-cases-aes-doesnt-need-iv%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3












          $begingroup$

          A quick list from Wikipedia;



          • ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.

          • CBC : uses IV

          • PCB : uses IV

          • CFB : uses IV

          • CTR : uses IV

          • OFB : uses IV

          • GCM : uses IV

          • CCM : uses IV

          • ....

          In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.






          share|improve this answer











          $endgroup$








          • 2




            $begingroup$
            ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
            $endgroup$
            – Agent_L
            Jan 28 at 22:54










          • $begingroup$
            Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
            $endgroup$
            – Joshua
            Jan 28 at 22:55










          • $begingroup$
            "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
            $endgroup$
            – kelalaka
            Jan 29 at 9:31






          • 1




            $begingroup$
            You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
            $endgroup$
            – forest
            Jan 30 at 6:17







          • 1




            $begingroup$
            @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
            $endgroup$
            – forest
            Jan 30 at 6:21
















          3












          $begingroup$

          A quick list from Wikipedia;



          • ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.

          • CBC : uses IV

          • PCB : uses IV

          • CFB : uses IV

          • CTR : uses IV

          • OFB : uses IV

          • GCM : uses IV

          • CCM : uses IV

          • ....

          In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.






          share|improve this answer











          $endgroup$








          • 2




            $begingroup$
            ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
            $endgroup$
            – Agent_L
            Jan 28 at 22:54










          • $begingroup$
            Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
            $endgroup$
            – Joshua
            Jan 28 at 22:55










          • $begingroup$
            "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
            $endgroup$
            – kelalaka
            Jan 29 at 9:31






          • 1




            $begingroup$
            You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
            $endgroup$
            – forest
            Jan 30 at 6:17







          • 1




            $begingroup$
            @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
            $endgroup$
            – forest
            Jan 30 at 6:21














          3












          3








          3





          $begingroup$

          A quick list from Wikipedia;



          • ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.

          • CBC : uses IV

          • PCB : uses IV

          • CFB : uses IV

          • CTR : uses IV

          • OFB : uses IV

          • GCM : uses IV

          • CCM : uses IV

          • ....

          In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.






          share|improve this answer











          $endgroup$



          A quick list from Wikipedia;



          • ECB : doesn't use IV and don't use ECB which is insecure, see the penguin from Wikipedia.

          • CBC : uses IV

          • PCB : uses IV

          • CFB : uses IV

          • CTR : uses IV

          • OFB : uses IV

          • GCM : uses IV

          • CCM : uses IV

          • ....

          In short, all secure modes need an IV. To achieve semantical security the Probabilistic encryption is required.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 28 at 20:55

























          answered Jan 28 at 19:10









          kelalakakelalaka

          7,77522248




          7,77522248







          • 2




            $begingroup$
            ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
            $endgroup$
            – Agent_L
            Jan 28 at 22:54










          • $begingroup$
            Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
            $endgroup$
            – Joshua
            Jan 28 at 22:55










          • $begingroup$
            "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
            $endgroup$
            – kelalaka
            Jan 29 at 9:31






          • 1




            $begingroup$
            You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
            $endgroup$
            – forest
            Jan 30 at 6:17







          • 1




            $begingroup$
            @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
            $endgroup$
            – forest
            Jan 30 at 6:21













          • 2




            $begingroup$
            ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
            $endgroup$
            – Agent_L
            Jan 28 at 22:54










          • $begingroup$
            Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
            $endgroup$
            – Joshua
            Jan 28 at 22:55










          • $begingroup$
            "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
            $endgroup$
            – kelalaka
            Jan 29 at 9:31






          • 1




            $begingroup$
            You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
            $endgroup$
            – forest
            Jan 30 at 6:17







          • 1




            $begingroup$
            @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
            $endgroup$
            – forest
            Jan 30 at 6:21








          2




          2




          $begingroup$
          ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
          $endgroup$
          – Agent_L
          Jan 28 at 22:54




          $begingroup$
          ECB is perfectly secure, arguably the most secure of all AES modes. As long as you don't go over 1 block, or all your data is patternless (eg random keys of another system or layer).
          $endgroup$
          – Agent_L
          Jan 28 at 22:54












          $begingroup$
          Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
          $endgroup$
          – Joshua
          Jan 28 at 22:55




          $begingroup$
          Deliberate use of all-zeros IV: tools.ietf.org/html/rfc4880#section-13.9
          $endgroup$
          – Joshua
          Jan 28 at 22:55












          $begingroup$
          "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
          $endgroup$
          – kelalaka
          Jan 29 at 9:31




          $begingroup$
          "ECB is perfectly secure arguably the most secure of all AES modes" is not correct. You could say ECB is secure if.... Moreover, ECB is not an authenticated mode where it will fail.
          $endgroup$
          – kelalaka
          Jan 29 at 9:31




          1




          1




          $begingroup$
          You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
          $endgroup$
          – forest
          Jan 30 at 6:17





          $begingroup$
          You can safely use a null (all zero) IV for certain modes, like CTR, assuming you don't generate more than one keystream with the same key. Whether or not this counts as "using an IV" may be subjective...
          $endgroup$
          – forest
          Jan 30 at 6:17





          1




          1




          $begingroup$
          @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
          $endgroup$
          – forest
          Jan 30 at 6:21





          $begingroup$
          @Agent_L It's also secure if it's used on top of another cipher which effectively guarantees that the plaintext will always be unique. For example, Salsa20/8 plus AES-ECB would be fine. Dunno why anyone'd do it.
          $endgroup$
          – forest
          Jan 30 at 6:21












          0












          $begingroup$

          There is a mode of AES that can survive without an IV under certain assumptions.



          https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS



          In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.



          Looking for encryption algorithm not subject to known-plaintext attack with IV reuse






          share|improve this answer









          $endgroup$








          • 2




            $begingroup$
            XTS uses sector numbers as an IV.
            $endgroup$
            – kelalaka
            Jan 29 at 9:26











          • $begingroup$
            @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
            $endgroup$
            – Joshua
            Jan 29 at 14:28










          • $begingroup$
            The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
            $endgroup$
            – kelalaka
            Jan 29 at 14:45







          • 1




            $begingroup$
            @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
            $endgroup$
            – forest
            Jan 30 at 6:19
















          0












          $begingroup$

          There is a mode of AES that can survive without an IV under certain assumptions.



          https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS



          In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.



          Looking for encryption algorithm not subject to known-plaintext attack with IV reuse






          share|improve this answer









          $endgroup$








          • 2




            $begingroup$
            XTS uses sector numbers as an IV.
            $endgroup$
            – kelalaka
            Jan 29 at 9:26











          • $begingroup$
            @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
            $endgroup$
            – Joshua
            Jan 29 at 14:28










          • $begingroup$
            The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
            $endgroup$
            – kelalaka
            Jan 29 at 14:45







          • 1




            $begingroup$
            @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
            $endgroup$
            – forest
            Jan 30 at 6:19














          0












          0








          0





          $begingroup$

          There is a mode of AES that can survive without an IV under certain assumptions.



          https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS



          In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.



          Looking for encryption algorithm not subject to known-plaintext attack with IV reuse






          share|improve this answer









          $endgroup$



          There is a mode of AES that can survive without an IV under certain assumptions.



          https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS



          In particular, the XEX form of AES is designed to function in the absence of a working IV and in particular survives IV reuse. There's one downside in that if you do something like write enough data to the same block and an attacker can see all of the states the security collapses, but it's good it what it's designed for.



          Looking for encryption algorithm not subject to known-plaintext attack with IV reuse







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 28 at 23:01









          JoshuaJoshua

          240211




          240211







          • 2




            $begingroup$
            XTS uses sector numbers as an IV.
            $endgroup$
            – kelalaka
            Jan 29 at 9:26











          • $begingroup$
            @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
            $endgroup$
            – Joshua
            Jan 29 at 14:28










          • $begingroup$
            The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
            $endgroup$
            – kelalaka
            Jan 29 at 14:45







          • 1




            $begingroup$
            @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
            $endgroup$
            – forest
            Jan 30 at 6:19













          • 2




            $begingroup$
            XTS uses sector numbers as an IV.
            $endgroup$
            – kelalaka
            Jan 29 at 9:26











          • $begingroup$
            @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
            $endgroup$
            – Joshua
            Jan 29 at 14:28










          • $begingroup$
            The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
            $endgroup$
            – kelalaka
            Jan 29 at 14:45







          • 1




            $begingroup$
            @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
            $endgroup$
            – forest
            Jan 30 at 6:19








          2




          2




          $begingroup$
          XTS uses sector numbers as an IV.
          $endgroup$
          – kelalaka
          Jan 29 at 9:26





          $begingroup$
          XTS uses sector numbers as an IV.
          $endgroup$
          – kelalaka
          Jan 29 at 9:26













          $begingroup$
          @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
          $endgroup$
          – Joshua
          Jan 29 at 14:28




          $begingroup$
          @kelaka: Which doesn't meet the definition of an IV because it is reused. You have to fill that AES register with something.
          $endgroup$
          – Joshua
          Jan 29 at 14:28












          $begingroup$
          The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
          $endgroup$
          – kelalaka
          Jan 29 at 14:45





          $begingroup$
          The IV is $X$ which is generated from $X =E_k(sector_number) times alpha^j$
          $endgroup$
          – kelalaka
          Jan 29 at 14:45





          1




          1




          $begingroup$
          @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
          $endgroup$
          – forest
          Jan 30 at 6:19





          $begingroup$
          @Joshua It doesn't matter if it's reused or not, as long as it's not reused with the same key. And the fact that XTS reuses an IV for a single sector is a problem and leaks data if an attacker has snapshots of the same sector over time as it is modified. It's still an IV though.
          $endgroup$
          – forest
          Jan 30 at 6:19


















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Cryptography Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66856%2fin-which-cases-aes-doesnt-need-iv%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?