Join Log in
Score:0
Aleix Martí avatar Crypto

Is it possible to perform CPA attack against CBC changing IV by last ciphertext block?

fr flag
Aleix Martí

I was trying to do a simple CPA attack against this scheme, to understand better the concept.

Instead of using a new each time, we decide to use the last block of the previous ciphertext as an initialization vector. Prove this new scheme is vulnerable to a chosen-plaintext attack.

So in this case,

  • the challenger chooses a "game" and a key.
  • After that, we send $(0\ldots 0,1\ldots 1)$
  • and we receive $(IV, c)$.
  • Now we send $(0\ldots 0, 0\ldots 0)$
  • and we receive $(IV'=c , c')$.
  • So if $c$ is equal to $IV'$ then the challenger is playing the left game, right otherwise.

Am I right? Am I confusing the concepts? When we talk about a block, is all the cipher or only the last bit?

50
0 + 0
cbc
kelalaka avatar
in flag
kelalaka
This game is problematic since the first IV generation is not clear. Anyway, assuming that is random for the first time, you need to send $(1\ldots 1)$ as the first data on the second try. Write CBC equations and see better? ( note that you seem to send two blocks)
0
Reply
Aleix Martí avatar
fr flag
Aleix Martí
I don't really see a connection to guess the game. The first time I send the message, I will recive (IV, F(k,mi xor ci-1)), second time ( F(k,mi xor ci-1), F(k,mi' xor ci-1')). I guess I'm missing something required to solve the attack.
0
Reply
Aleix Martí avatar
fr flag
Aleix Martí
maybe I just get it, if I do the cipher of the second try XOR with the IV of the first try, I will get the message of the second try?
0
Reply
kelalaka avatar
in flag
kelalaka
Send $((c \oplus IV), (1\ldots 1)$ on the second time?
0
Reply
kelalaka avatar
in flag
kelalaka
If this is not homework can you write an answer to your question?
0
Reply
Aleix Martí avatar
fr flag
Aleix Martí
Let's assume that I'm playing "left game", so in this case if in the first try I do (0..0,0..0) and in the second try (c⊕IV),(1…1), then if both cipher are equals, then left game, otherwise right?
0
Reply
Aleix Martí avatar
fr flag
Aleix Martí
Yes, no problem, after solve it, I upload the answer
0
Reply
fgrieu avatar
ng flag
fgrieu
Note: here CPA stands for Choosen Plaintext Attacks (not Correlation Power Analysis). Hint: in standard CBC, can the plaintext be chosen with knowledge of the IV? What about that modified CBC?
0
Reply
Score:0
Aleix Martí avatar Crypto
fr flag
Aleix Martí

The attack goes as follows, first the adversary asks for the encryption $(0…0,0…0)$. Then he gets $c_1=(c_{11},c_{12})=(IV,F_{K}(m_{\gamma_1}\oplus IV))=(IV,c=F_{K}(IV))$, since $m_{\gamma_1}=0…0$ regardless of the value of $\gamma$.  Then he asks for the encryption of $(m_{L_2}=0…0,m_{R_2}=c_{12}\oplus IV)$, and gets  $c_2=(c_{21},c_{22})=(F_{K}(IV),F_{K}(F_{K}(IV)\oplus m_{\gamma_2}))$. If $\gamma=L$, he gets $(F_{K}(IV),F_{K}(F_{K}(IV))$ and if $\gamma=R$ he gets $(F_{K}(IV),F_{K}(F_{K}(IV)\oplus c_{12}\oplus IV)=(F_{K}(IV),F_{K}(IV))$ since $c_{12}=F_{K}(IV)$.  In summary if $c_{21}=c_{22}$ he says $\gamma=R$ and he says $\gamma=L$ otherwise.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.