Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Show that CBC encryption where the IV is random but known in advance is not indi

ID: 3595307 • Letter: S

Question

Show that CBC encryption where the IV is random but known in advance is not indistinguishable, under chosen plaintext attack. Directions: assume attacker sees the ciphertext blocks c1 , c2 resulting from CBC encryption of plaintext messages m1, m2. Furthermore, attacker is now given a random value I, to be used in CBC encryption of a message X that the attacker can choose. The attacker is given the result of that encryption; e.g., if X is exactly one block long, then attacker is given the output of E(X LI). Show that this allows attacker to find if m2 is a block of all zeros or block of all 1 bits. Conclude that such CBC encryption is not CPA-IND.

Explanation / Answer

Solution :-

--> In CBC encryption mode the IV used is random. Sovtgst it is not distinguishable in polynomial time. If an attacker sees the ciphertext priduced by plaintext message. Furthermore atracker given a random value I thay will be used in encryption of message X. But attacker has no idea that which ciphertext block is genetated from tgat random value.

Suppose there are two oracles which are taking two inputs, a plaintext P and initialization vector IV. The first oracle Enc(P, IV) performs CBC encryption and outputs a ciphertext with the same length of plaintext P. The second oracle Rand(P, IV) returns a random string of bit with the same length of plaintext P.

By the security concern of CBC it is not distinguishable in polynomial time with respect to the length n of the encryption key k, that a given output is produced from Enc(P, IV) or Rand(P, IV). So this Encryption is CPA-IND encryption.

Now, suppose an adversary A has access to an oracle fulfilled either by Enc or Rand. But A is unaware of which output is genetated by Enc or which by Rand. Thus, it is observed that the scheme is most probably secure in polynomial time.

--> Now if an attacker has the ciphertext C1 and C2, encrypted from the messages M1 and M2. Furthermore attacker is given random value I which is to be used in the encryption of the plaintext X. Attacker can choose the X appropriately. If the result of the encryption of X by random value I is matched with the ciphertext seen by attacker. If ciphertext of original medsage and ciphertext of message X are same than attacker can read the original message.

So this type of CBC encryption is not CPA-IND encryption.

Related Questions

Show me all details of your calculations (like I do in class). Skipping steps wi
Question #1998306
Show me how to calculate the following pass wand with for different length L=10,
Question #2083324
Show me how to work these problems Final Exam Review BUAL 3310 (Compatbility Mod
Question #3322236
Show me how to write the script in r. What we need to do is to create a for loop
Question #3576320
Show me step by step please A positively charged particle is tied by a massless
Question #2143707
Show me the OUTPUT! Please solve everything! 1 Assignment 1 Our first assignment
Question #3707909
Show me the answer choice that works, thank you 8. Primary cultures types. Given
Question #3508695
Show me the cash flow statements from operating, investing, and financing activi
Question #2575223
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Show that B = {(1, 1, 1), (1, 1, 0), (0, 1, 1)} is a basis for R3. Find the coor
Next
Show that L is a linear transformation Let P 2 --> P 2 be linear transformation

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.