[sgdread]

5c from me:

1) why CTR mode was chosen? I would probably go with something like GCM: privacy + integrity check.

2) IV ideally should be re-generated on every re-encryption. It doesn't have to be secret, but has to be random (securely random).

[tptacek]

GCM has exactly the same problem with respect to nonces (GCM, like CTR, has a nonce, not an IV, but the terms are unfortunately used interchangeably).

The secrecy/predictability/uniqueness rules for IVs and nonces depend on the specific cipher mode you're using, so be careful about writing generic recommendations. Also, be very careful with the word "ideally", because if you get an IV or nonce wrong, chances are your problems are much worse than "not ideal".