Omit IV for AES128-CBC when requiring to always get the same ciphertext encrypting random IDs
Imagine having images stored in a system with their 256 bit hash (BLAKE2b) as their unique ID. We want to produce a URL for each image, something like:
https://host/images/cleartext-image-ID
In order for one user not to be able to steal the URL for a particular image from another user, we encrypt the image ID using a symmetric key that is unique to each user:
ciphertext-image-ID-for-user = AES128-CBC(cleartext-image-ID, user-specific-key)
The URL then becomes:
https://host/images/ciphertext-image-ID-for-user
Because we need the ciphertext ID for a particular image to always be the same for the same user, we cannot use a random IV (Initialization Vector) for AES as the purpose of a random IV is the opposite: to ensure that the ciphertext will be different when encrypting the same message multiple times with the same key.
However, we believe this is not a problem since what we are encrypting is an ID that is a BLAKE2b hash which is indistinguishable from random. Therefore, no two IDs have anything in common – e.g., no common prefix or correlation for that sake.
If we absolutely need an IV, we could use the first 128 bits of the BLAKE2b hash (which is 256 bits) as the IV and then only encrypt the last 128 bits but we cannot see how this should increase the strength of the encryption. On the contrary, an adversary would then only have to decrypt 128 bits instead of 256 bits to get the cleartext ID. Also, the ciphertext will still be the same as we will always be using the same IV for the same image.
Is there something we have overlooked or is it correct that in this use case, we can safely omit the IV?
