My use case guarantees that all plaintext values are unique. In this case, is it safe to use a fixed IV with AES-GCM to carry our encryption/decryption?
Asked
Active
Viewed 499 times
0
-
@Mikero, indeed, I read that answer already, I just wasn't sure if the messages being unique make a difference. – savx2 Sep 06 '19 at 04:11
1 Answers
2
No, when an IV is repeated as in $C_1 = \textsf{GCM}(K,IV,M_1)$ and $C_2 = \textsf{GCM}(K,IV,M_2)$, the resulting ciphertexts leak $M_1 \oplus M_2$ to an eavesdropper. This is because GCM is based on CTR mode which has this property.
Authenticity also completely breaks in this scenario, although it's not a one-liner explanation. An attacker who sees $M_1, M_2, C_1, C_2$ can forge arbitrary ciphertexts.
Mikero
- 13,187
- 2
- 33
- 51