This preview shows page 1. Sign up to view the full content.
Unformatted text preview: easy to see that b = b. In fact, if b = 0, that is cb = c0 = Enck (m0 ), i.e
cb = (IV, c1 , .., c ) = (IV, Fk (m01 ⊕ IV ), Fk (c1 ⊕ m02 ), .., Fk (c−1 ⊕ m0 ))
Recall that
c = (IV + 1, c1 , .., c ) = (IV + 1, Fk ((m01 ⊕ 1) ⊕ (IV + 1)), .., Fk (˜−1 ⊕ m0 ))
˜
˜
˜
c then c1 = c1 since Fk (m01 ⊕ IV ) = Fk ((m01 ⊕ 1) ⊕ (IV + 1)). This, clearly,
˜
implies ci = ci for all 2 ≤ i ≤ . Hence, when b = 0 the adversary always sets
˜
b = 0 as wanted.
On the other hand, if b = 1
cb = c1 = (IV, c1 , .., c ) = (IV, Fk (m11 ⊕ IV ), Fk (c1 ⊕ m12 ), .., Fk (c−1 ⊕ m1 )) which, since m0 = m1 , is cannot be equal to c0 (otherwise decryption is not
possible). Since (˜1 , .., c ) = (Fk (m01 ⊕ IV ), .., Fk (c−1 ⊕ m0 )), we must have
c
˜
(˜1 , .., c ) = (c1 , .., c ) when b = 1. Hence, when b = 1 the adversary always sets
c
˜
b = 1 as wanted.
Therefore, we can conclude that the adversary will guess b with probability 1;
the scheme is not CPA secure.
1 Fall 2010 Comp 547: Cryptography and Data Security 2 Exercise 3.21
Let Π1 = (Gen1 , Enc1 , Dec1 ) and Π2 = (Gen2 , Enc2 , Dec2 ) be two encrypt...
View
Full
Document
This document was uploaded on 02/24/2014.
 Spring '12

Click to edit the document details