Solution set for Assignment 4
Giulia Alberini
Exercise 3.16
Let us consider the variant of CBCmode encryption where the sender simply
increment the IV by 1 each time a message is encrypted. Consider the encryption
consisting of
°
blocks each of length
n
.
Recall that a system is CPA secure if an adversary
A
is not able to distinguish
the encryption of two arbitrary messages even when
A
is given access to an
encryption oracle.
Let
m
0
=(
m
01
,m
02
,..,m
0
°
) and
m
1
m
11
12
1
°
), where

m
bi

=
n
for
b
∈{
0
,
1
}
and 1
≤
i
≤
°
, be the two messages of length
n
·
°
outputted
by the adversary, and let
c
b
=
Enc
k
(
m
b
)=(
IV,c
1
,..,c
°
), for
b
∈
R
{
0
,
1
}
,be
the challenge ciphertext. At this point the adversary still has oracle access to
k
(
·
) before deciding which of the previous two messages has been encrypted,
that is to Fnd out the value of
b
. It will be enough for the adversary to query
the oracle with the message
m
°
0
m
01
⊕
1
02
0
°
). Then the adversary
will receive a ciphertext ˜
c
IV
+1
,
˜
c
1
,..,
˜
c
°
). Now:
•
If (˜
c
1
˜
c
°
c
1
°
), then set
b
°
= 0;
•
Otherwise, set
b
°
= 1.
It is easy to see that
b
°
=
b
. In fact, if
b
= 0, that is
c
b
=
c
0
=
k
(
m
0
), i.e
c
b
1
°
IV,F
k
(
m
01
⊕
)
,F
k
(
c
1
⊕
m
02
)
,..,F
k
(
c
°
−
1
⊕
m
0
°
))
Recall that
˜
c
,
˜
c
1
˜
c
°
k
((
m
01
⊕
1)
⊕
(
+ 1))
k
(˜
c
°
−
1
⊕
m
0
°
))
then ˜
c
1
=
c
1
since
F
k
(
m
01
⊕
)=
F
k
((
m
01
⊕
1)
⊕
(
+ 1)). This, clearly,
implies ˜
c
i
=
c
i
for all 2
≤
i
≤
°
. Hence, when
b
= 0 the adversary always sets
b
°
= 0 as wanted.
On the other hand, if
b
=1
c
b
=
c
1
1
°
k
(
m
11
⊕
)
k
(
c
1
⊕
m
12
)
k
(
c
°
−
1
⊕
m
1
°
))
which, since
m
0
°
=
m
1
, is cannot be equal to
c
0
(otherwise decryption is not
possible). Since (˜
c
1
˜
c
°
F
k
(
m
01
⊕
)
k
(
c
°
−
1
⊕
m
0
°
)), we must have
(˜
c
1
˜
c
°
)
°
c
1
°
)when
b
= 1. Hence, when
b
= 1 the adversary always sets
b
°
= 1 as wanted.
Therefore, we can conclude that the adversary will guess
b
with probability 1;
the scheme is not CPA secure.
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentFall 2010
Comp 547: Cryptography and Data Security
2
Exercise 3.21
Let Π
1
=(Gen
1
,
Enc
1
,
Dec
1
) and Π
2
2
,
Enc
2
,
Dec
2
) be two encryption
schemes for which is known that at least one is CPAsecure. Let
m
be the origi
nal plaintext message that we would like to encrypt using Π
1
and Π
2
and having
the certainty that it will be a CPAsecure encryption. Let
M
=
{
0
,
1
}
n
be the
plaintext space. Let us construct the encryption scheme Π = (Gen
,
Enc
,
Dec)
as follows:
•
Gen:
on input 1
n
,runGen
1
and Gen
2
and generate a key
k
=(
k
1
,k
2
)
where
k
1
,
k
2
have been generated by Gen
1
and Gen
2
respectively.
•
Enc:
on input
k
k
1
2
) and a message
m
∈{
0
,
1
}
n
, choose
p
←{
0
,
1
}
n
uniformly at random and output the ciphertext
c
:=
°
Enc
1
,
k
1
(
p
)
,
Enc
2
,
k
2
(
m
⊕
p
)
±
•
Dec:
on input the key
k
k
1
2
) and a ciphertext
c
=
°
c
1
,c
2
±
output
the plaintext message
m
:= Dec
1
,
k
1
(
c
1
)
⊕
Dec
2
,
k
2
(
c
2
)
Claim.
The encryption scheme
Π=(Gen
,
Enc
,
Dec)
is CPA secure.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '12
 Cryptography, Encryption, k2, adversary

Click to edit the document details