On 2021-05-25 19:48:54 -0400, Stephen Frost wrote: > That's how CTR works, yes. The issue that you run into is that once > you've got two pages which have different data but were encrypted with > the same key and nonce then you can use crib-dragging. > > A good example of how this works is here: > > http://travisdazell.blogspot.com/2012/11/many-time-pad-attack-crib-drag.html > > Once you've got the two different pages which had the same key+nonce > used, you can XOR them together and then start cribbing, scanning the > page for legitimate data which doesn't have to be in the part of the > data that was different between the two original pages.
IOW, purely hint bit changes are the *dream* case for an attacker, because any difference can just be ignored. All an attacker has to do is to look at the writes, see if an IV repeats for a block, and the attacker will get the *entire* page's worth of data. Either minus hint bits (which are irrelevant), or with a trivial bit of inferrence even that (because hint bits can only change in one direction). Greetings, Andres Freund
