Score:0

Is it possible to perform CPA attack against CBC changing IV by last ciphertext block?

fr flag

I was trying to do a simple CPA attack against this scheme, to understand better the concept.

Instead of using a new each time, we decide to use the last block of the previous ciphertext as an initialization vector. Prove this new scheme is vulnerable to a chosen-plaintext attack.

So in this case,

  • the challenger chooses a "game" and a key.
  • After that, we send $(0\ldots 0,1\ldots 1)$
  • and we receive $(IV, c)$.
  • Now we send $(0\ldots 0, 0\ldots 0)$
  • and we receive $(IV'=c , c')$.
  • So if $c$ is equal to $IV'$ then the challenger is playing the left game, right otherwise.

Am I right? Am I confusing the concepts? When we talk about a block, is all the cipher or only the last bit?

kelalaka avatar
in flag
This game is problematic since the first IV generation is not clear. Anyway, assuming that is random for the first time, you need to send $(1\ldots 1)$ as the first data on the second try. Write CBC equations and see better? ( note that you seem to send two blocks)
Aleix Martí avatar
fr flag
I don't really see a connection to guess the game. The first time I send the message, I will recive (IV, F(k,mi xor ci-1)), second time ( F(k,mi xor ci-1), F(k,mi' xor ci-1')). I guess I'm missing something required to solve the attack.
Aleix Martí avatar
fr flag
maybe I just get it, if I do the cipher of the second try XOR with the IV of the first try, I will get the message of the second try?
kelalaka avatar
in flag
Send $((c \oplus IV), (1\ldots 1)$ on the second time?
kelalaka avatar
in flag
If this is not homework can you write an answer to your question?
Aleix Martí avatar
fr flag
Let's assume that I'm playing "left game", so in this case if in the first try I do (0..0,0..0) and in the second try (c⊕IV),(1…1), then if both cipher are equals, then left game, otherwise right?
Aleix Martí avatar
fr flag
Yes, no problem, after solve it, I upload the answer
fgrieu avatar
ng flag
Note: here CPA stands for Choosen Plaintext Attacks (not Correlation Power Analysis). Hint: in standard CBC, can the plaintext be chosen with knowledge of the IV? What about that modified CBC?
Score:0
fr flag

The attack goes as follows, first the adversary asks for the encryption $(0…0,0…0)$. Then he gets $c_1=(c_{11},c_{12})=(IV,F_{K}(m_{\gamma_1}\oplus IV))=(IV,c=F_{K}(IV))$, since $m_{\gamma_1}=0…0$ regardless of the value of $\gamma$.  Then he asks for the encryption of $(m_{L_2}=0…0,m_{R_2}=c_{12}\oplus IV)$, and gets  $c_2=(c_{21},c_{22})=(F_{K}(IV),F_{K}(F_{K}(IV)\oplus m_{\gamma_2}))$. If $\gamma=L$, he gets $(F_{K}(IV),F_{K}(F_{K}(IV))$ and if $\gamma=R$ he gets $(F_{K}(IV),F_{K}(F_{K}(IV)\oplus c_{12}\oplus IV)=(F_{K}(IV),F_{K}(IV))$ since $c_{12}=F_{K}(IV)$.  In summary if $c_{21}=c_{22}$ he says $\gamma=R$ and he says $\gamma=L$ otherwise.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.