Solution set for Assignment 4
Giulia Alberini
Exercise 3.16
Let us consider the variant of CBCmode encryption where the sender simply
increment the IV by 1 each time a message is encrypted. Consider the encryption
consisting of
blocks each of length
n
.
Recall that a system is CPA secure if an adversary
A
is not able to distinguish
the encryption of two arbitrary messages even when
A
is given access to an
encryption oracle.
Let
m
0
= (
m
01
, m
02
, .., m
0
) and
m
1
= (
m
11
, m
12
, .., m
1
), where

m
bi

=
n
for
b
∈
{
0
,
1
}
and 1
≤
i
≤
, be the two messages of length
n
·
outputted
by the adversary, and let
c
b
=
Enc
k
(
m
b
) = (
IV, c
1
, .., c
), for
b
∈
R
{
0
,
1
}
, be
the challenge ciphertext. At this point the adversary still has oracle access to
Enc
k
(
·
) before deciding which of the previous two messages has been encrypted,
that is to find out the value of
b
. It will be enough for the adversary to query
the oracle with the message
m
0
= (
m
01
⊕
1
, m
02
, .., m
0
). Then the adversary
will receive a ciphertext ˜
c
= (
IV
+ 1
,
˜
c
1
, ..,
˜
c
). Now:
•
If (˜
c
1
, ..,
˜
c
) = (
c
1
, .., c
), then set
b
= 0;
•
Otherwise, set
b
= 1.
It is easy to see that
b
=
b
. In fact, if
b
= 0, that is
c
b
=
c
0
=
Enc
k
(
m
0
), i.e
c
b
= (
IV, c
1
, .., c
) = (
IV, F
k
(
m
01
⊕
IV
)
, F
k
(
c
1
⊕
m
02
)
, .., F
k
(
c
−
1
⊕
m
0
))
Recall that
˜
c
= (
IV
+ 1
,
˜
c
1
, ..,
˜
c
) = (
IV
+ 1
, F
k
((
m
01
⊕
1)
⊕
(
IV
+ 1))
, .., F
k
(˜
c
−
1
⊕
m
0
))
then ˜
c
1
=
c
1
since
F
k
(
m
01
⊕
IV
) =
F
k
((
m
01
⊕
1)
⊕
(
IV
+ 1)). This, clearly,
implies ˜
c
i
=
c
i
for all 2
≤
i
≤
. Hence, when
b
= 0 the adversary always sets
b
= 0 as wanted.
On the other hand, if
b
= 1
c
b
=
c
1
= (
IV, c
1
, .., c
) = (
IV, F
k
(
m
11
⊕
IV
)
, F
k
(
c
1
⊕
m
12
)
, .., F
k
(
c
−
1
⊕
m
1
))
which, since
m
0
=
m
1
, is cannot be equal to
c
0
(otherwise decryption is not
possible). Since (˜
c
1
, ..,
˜
c
) = (
F
k
(
m
01
⊕
IV
)
, .., F
k
(
c
−
1
⊕
m
0
)), we must have
(˜
c
1
, ..,
˜
c
)
= (
c
1
, .., c
) when
b
= 1. Hence, when
b
= 1 the adversary always sets
b
= 1 as wanted.
Therefore, we can conclude that the adversary will guess
b
with probability 1;
the scheme is not CPA secure.
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Fall 2010
Comp 547: Cryptography and Data Security
2
Exercise 3.21
Let
Π
1
= (Gen
1
,
Enc
1
,
Dec
1
) and
Π
2
= (Gen
2
,
Enc
2
,
Dec
2
) be two encryption
schemes for which is known that at least one is CPAsecure. Let
m
be the origi
nal plaintext message that we would like to encrypt using
Π
1
and
Π
2
and having
the certainty that it will be a CPAsecure encryption. Let
M
=
{
0
,
1
}
n
be the
plaintext space.
Let us construct the encryption scheme
Π
= (Gen
,
Enc
,
Dec)
as follows:
•
Gen:
on input 1
n
, run Gen
1
and Gen
2
and generate a key
k
= (
k
1
, k
2
)
where
k
1
,
k
2
have been generated by Gen
1
and Gen
2
respectively.
•
Enc:
on input
k
= (
k
1
, k
2
) and a message
m
∈
{
0
,
1
}
n
, choose
p
←
{
0
,
1
}
n
uniformly at random and output the ciphertext
c
:=
Enc
1
,
k
1
(
p
)
,
Enc
2
,
k
2
(
m
⊕
p
)
•
Dec:
on input the key
k
= (
k
1
, k
2
) and a ciphertext
c
=
c
1
, c
2
output
the plaintext message
m
:= Dec
1
,
k
1
(
c
1
)
⊕
Dec
2
,
k
2
(
c
2
)
Claim.
The encryption scheme
Π
= (Gen
,
Enc
,
Dec)
is CPA secure.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '12
 Cryptography, Encryption, k2, adversary

Click to edit the document details