current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Cryptography Stack Exchange is a question and answer site for software developers, mathematicians and others interested in cryptography. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 3 down vote favorite

I'm working on a file encryption system where multiple versions of the same file might exist. The filenames are encrypted using AES in CBC mode with a random IV and stored in metadata. Since versions of the same file share the same filename, this information may be used by an adversary. Is there any additional information to be derived from multiple ciphertexts which are known to share the same plaintext, just with a different IV?

share|improve this question
1  
I'm assuming they are all encrypted with the same key? So you have the same plaintext, encrypted with the same key, but a random IV each time. The attacker knows that the ciphertexts all encrypt the same plaintext (but doesn't know what that plaintext is), using the same key, but a random IV and you are wondering if that gives the attacker any advantage in figuring out the plaintext or possibly the key. Is that your question? – mikeazo 8 hours ago
    
Somewhat related: crypto.stackexchange.com/questions/31365 – Biv 8 hours ago
    
Yes, the key and plaintext is the same. The attacker knows this and the IVs used but doesn't know the plaintext. Is there anything to learn about the plaintext when multiple ciphertexts are available instead of only one? – sebi707 8 hours ago
up vote 5 down vote accepted

the key and plaintext is the same. The attacker knows this and the IVs used but doesn't know the plaintext. Is there anything to learn about the plaintext when multiple ciphertexts are available instead of only one?

No. Giving the attacker multiple encryptions of a single plaintext using a randomly chosen IV and a fixed key with AES-CBC does not leak any more information about the plaintext than does a single ciphertext.

In fact if the attacker didn't know whether or not they were the same plaintext (but had the same length), the attacker couldn't tell you whether or not they encrypted the same plaintext.

share|improve this answer
    
Thanks, that's what I wanted to know. – sebi707 8 hours ago
up vote 2 down vote

If you use a random IV each time you encrypt a file, the result will be different. $$\text{AES-CBC}(IV_1, Key, M) = C_1$$ $$\text{AES-CBC}(IV_2, Key, M) = C_2$$ you do not gain any pieces of informations by having $C_1$ and $C_2$. Even knowing that they share the same key and should they share the same length, an attacker can not even know whether or not they are the same file (identically byte to byte). This is the goal of the $IV$. Therefore he would not be able to find or exploit differences between plaintext with similarities.

Hence you are perfectly fine with your scheme. The only informations that could be leaked is the date of creation and the size of the content. But it is hard to fight against that.

share|improve this answer
    
"an attacker can not even know whether or not they are the same file" but an attacker can distinguish between two different lengths of plaintexts. So, in a simple case, there are 2 files, one with a long name, one with a short name. The attacker will be able to distinguish between encryptions of the long file name and encryptions of the short file name. – mikeazo 8 hours ago
    
Right I should be more precise and add the file length into account. thx. – Biv 8 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.