I have one question about convergent encryption.
Suppose I use AES-256 in CBC mode. I need a 256 bits key and a 128 bits IV. If I use SHA-256 to hash one file, then I can use directly that hash as the key.
When decryption occurs, is integrity and authenticity given by checking the hash of the decrypted plaintext, OR is there a need to add additionnals integrity and authenticity checks like CBC-MAC ?
If you use the hash as a known key, then you do not need any additional authentication to ensure plaintext integrity. An attacker cannot find another plaintext with that hash value unless the hash is broken.
However, there are two problems with that:
Like MAC-then-encrypt the hash only ensures authenticity of the plaintext, not of the ciphertext. This leaves it possible for an attacker to use chosen ciphertext attacks and CBC implementations may be vulnerable to the padding oracle attack.
Typically in convergent encryption you have a longer term secret key that is used to encrypt many plaintexts, and the hash that is used as key for one plaintext gets encrypted for the long term key.
Unless the hash/key is encrypted with authenticated encryption, a chosen plaintext attack could allow an attacker to halve the hash space to 128 bits, for which collisions could be found. I.e. you probably want to ensure the authenticity of the encrypted hash, if you use this setup.
Thus, I would recommend using authenticated encryption the whole way through. If you are concerned about space usage, you can shave off some by getting rid of the IV. One-time keys can be used with zero IV.
