Hi Damien,
I just submitted a paper about encrypting the backing store of a
virtual memory system to the USENIX security conference.
You might want to use the encrypted block number as IV. In the paper, I
wrote:
For swap encryption, the initial 128-bit IV is [based on] the 64-bit
block number to which the page is written, concatenated with its
bitwise complement. This ensures that each page is encrypted uniquely.
Caution is indicated because changing the IV in sequential increments
for adjacent pages may result in only small input differences to the
encryption function. The attacks described in ``From Differential
Cryptanalysis to Ciphertext-Only Attacks'' might apply in such a
situation. For that reason, we encrypt the block number and use that
for the IV. Biryukov and Kushilevitz also state, ``Another method of
IV choice is the encryption of the datagram sequence numbers [...],
and sending [the] IV in [the] clear (explicit IV method) [...]. This
method is also very vulnerable to our analysis, [...].'' Nevertheless,
in our case the IV is not explicit, and no IV differences can be
observed directly.
If you are interested in the rest of the system, I can send you a copy
of the draft paper.
Greetings,
Niels.